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What will you learn from this book? 


Ready to take your static HTML web pages to the next level, and 
build daiabase-driven sites using PHP and MySQL? Then Head First 
PHP & MySQl, is your hands-on guide to getting dynamic sites 
running, fast. Get your hands dirty building real applications, 
ranging from a video game high-score message board to an online 
dating site* By the time you Ye through ， you’ll be validating forms, 
working with session IDs and cookies, performing database c]ueries 
and joins, handling file I/O operations, and more. 
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Why does this book look so different? 

We think your time is too valuable to spend siruggling with new 
concepts. Usirig the latest research in cognitive science and learning 
theory to craft a nuilti-sensory learning experience, Hmd First PHP 
& MySQL uses a visually rich format designed for the way your 
brain works, not a text-heavy approach dial puis you to sleep* 


“PHP and MySQL are 
two of today 1 s most 
popular web develop- 
ment technologies, 
and this book shows 
readers why. Building 
a site without them 
is now as unthink¬ 
able as doing web 
design without CSS. 
This book is a great 
introduction and is 
laugh-out-loud funny. 
It’s the booli I wish 
I had learned from.” 

——Harvey Quamm, 

Assormte 1 y rofesHor 
of English and 
Hu m an it tes Compu ling, 
Un iversity of A Iberia 

“ Reading Head Mrst 
PHP MySQL is like 
taMng a Glass from 
the *coor teacher. It 
makes you look for¬ 
ward to learning- ” 

— Stephanie IJese, 
Web Developer 
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Advance Praise for Head First PHP & MySQL 


“PHP and MySQL are two of today’s most popular web development technologies, and this book shows 
readers why. Building a site without them is now as unthinkable as doing web design without CSS. This 
book is a great introduction and is laugh-out-loud funny. It’s the book I wish I had learned from.” 

— Harvey Quamen, Associate Professor of English and Humanities Computing, 
University of Alberta 


u Everything we’ve come to accept about the drudgery of technical learning has been abandoned and in 
its place an unusually fun method for learning is created. I have full confidence that the Head First series 
will revolutionize the technical publishing industry, and that these new methods will be the eventual 
standard. I bet my tech-phobic grandmother could pick up PHP and MySQL techniques after a single 
reading. She’d probably even have a good time doing it!，’ 

— Will Harris, Database Administrator, Powered By Geek 


“Reading Head First PHP & MySQL is like taking a class from the c cool’ teacher. It makes you look 
forward to learning.” 

— Stephanie Liese，Web Developer 


“Using images and humor the book is easy to digest and yet delivers real technical know-how.” 


— Jereme Allen, Web Developer 


‘“After a challenging, high-speed read-through and lots of quirky “Do This” projects, such as “My dog 
was abducted by aliens” and the “Mismatch Dating Agency,” I can’t wait to add some real PHP power 
to my web sites.” 

— David Briggs，Software Engineer and Technical Author 


Praise for Head First HTML with CSS & XHTML 


“Eric and Elisabeth Freeman clearly know their stuff. As the Internet becomes more complex, inspired 
construction of web pages becomes increasingly critical. Elegant design is at the core of every chapter here, 
each concept conveyed with equal doses of pragmatism and wit.” 

— Ken Goldstein, Executive Vice President & Managing Director, Disney Online 


“The Web would be a much better place if every HTML author started off by reading this book.” 

— L. David Baron, Technical Lead, Layout & CSS, Mozilla Corporation, 
http:/ / dbaron. org/ 


“I’ve been writing HTML and CSS for ten years now, and what used to be a long trial and error learning 
process has now been reduced neatly into an engaging paperback. HTML used to be something you 
could just hack away at until things looked okay on screen, but with the advent of web standards and 
the movement towards accessibility, sloppy coding practice is not acceptable anymore... from a business 
standpoint or a social responsibility standpoint. Head First HTML with CSS & XHTML teaches you how 
to do things right from the beginning without making the whole process seem overwhelming. HTML, 
when properly explained, is no more complicated than plain English, and the Freemans do an excellent 
job of keeping every concept at eye-level.” 

— Mike Davidson, President & CEO, News vine, Inc. 


“Oh, great. You made an XHTML book simple enough a CEO can understand it. What will you 
do next? Accounting simple enough my developer can understand it? Next thing you know we’ll be 
collaborating as a team or something.” 

— Janice Fraser, CEO, Adaptive Path 

“This book has humor, and charm, but most importantly, it has heart. I know that sounds ridiculous 
to say about a technical book, but I really sense that at its core, this book (or at least its authors) really 
care that the reader learn the material. This comes across in the style, the language, and the techniques. 
Learning — real understanding and comprehension — on the part of the reader is clearly top most in 
the minds of the Freemans. And thank you, thank you, thank you, for the book’s strong, and sensible 
advocacy of standards compliance. It’s great to see an entry level book, that I think will be widely read 
and studied, campaign so eloquently and persuasively on behalf of the value of standards compliance in 
web page code. I even found in here a few great arguments I had not thought of - ones I can remember 
and use when I am asked — as I still am — ‘what’s the deal with compliance and why should we care?’ 

I’ll have more ammo now! I also liked that the book sprinkles in some basics about the mechanics of 
actually getting a web page live - FTP, web server basics, file structures, etc.” 

— Robert Neer, Director of Product Development, Movies.com 


Praise for Head First JavaScript 


“So practical and useful, and so well explained. This book does a great job of introducing a complete 
newbie to JavaScript, and it’s another testament to Head First’s teaching style. Out of the other 
JavaScript books, Head First JavaScript is great for learning, compared to other reference books the size of 
a phone book.” 

— Alex Lee ， Student，University of Houston 

“An excellent choice for the beginning JavaScript developer.’’ 

— Fletcher Moore, Web Developer & Designer, Georgia Institute of Technology 


“Yet another great book in the classic 'Head First’ style.” 

— TW Scannell 


“JavaScript has long been the client-side engine that drives pages on the Web, but it has also long been 
misunderstood and misused. With Head First JavaScript, Michael Morrison gives a straightforward and 
easy-to-understand introduction of this language, removing any misunderstanding that ever existed and 
showing how to most effectively use it to enhance your web pages.” 


— Anthony T. Holdener III， Web applications developer, and the author of Ajax: 
The Definitive Guide. 


“A web page has three parts — content (HTML), appearance (CSS), and behaviour (JavaScript). Head First 
HTML introduced the first two, and this book uses the same fun but practical approach to introduce 
JavaScript. The fun way in which this book introduces JavaScript and the many ways in which it 
reinforces the information so that you will not forget it makes this a perfect book for beginners to use to 
start them on the road to making their web pages interactive.” 

— Stephen Chapman，Owner Felgall Pty Ltd . 5 JavaScript editor, about.com 


“This is the book I’ve been looking for to recommend to my readers. It is simple enough for complete 
beginners but includes enough depth to be useful to more advanced users. And it makes the process of 
learning fun. This might just be the only JavaScript book you ever need.” 

— Julie L Baumler, JavaScript Editor, BellaOnline. com 
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technical book writing actually paid real money, she 
learned to accept and enjoy it. After going back to 
school to get a Masters in Computer Science, she 
worked for the acronyms NRL and LANL. Then she 
discovered Flash, and wrote her first bestseller. A victim 
of bad timing, she moved to Silicon Valley just before 
the great crash. She spent several years working for 
Yahoo! and writing other books and training courses. 
Finally giving in to her creative writing bent, she moved 
to the New York area to get an MFA in Creative Writing. 
Her Head First-style thesis was delivered to a packed 
room of professors and fellow students. It was extremely 
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contributor to the online world ever since he ran a BBS 
on his Commodore 64 way back when being a nerd 
was far less cool than it is these days. A few thousand 
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still very much involved in the modern equivalents and 
the tools we use to build them. He spends most of his 
“official” time writing about web-related technologies, 
having authored or co-authored over fifty books ranging 
from mobile game programming to XML. He entered 
the Head First foray with Head First JavaScript, and hasn’t 
looked back. 

Michael is also the founder of Staleflsh Labs (www. 
stalef ishlabs . com), an entertainment company 
specializing in games, toys, and interactive media. And 
he’s been known to actually spend time offline (gasp!) 
skateboarding, playing ice hockey, and hanging out next 
to his koi pond with his wife, Masheed. He even sleeps 
every once in a while. 


• • • 

VIII 


table of contents 


Table of Contents (Summary) 

Intro 

1 It’s Alive: Add Life to Tour Static Pages 

2 How It Fits Together: Connecting to MySQL 

3 Creating Your Own Data: Create and Populate a Database 

4 Your Application on the Web: Realistic and Practical Applications 

5 When a Database Just Isn’t Enough: Working With Data Stored in Files 

6 Assume They’re All Out to Get You: Securing Tour Application 

7 Remember Me?: Building Personalized Web Apps 

7 l / 2 Sharing is Caring: Eliminate Duplicate Code 

8 Harvesting Data: Control Tour Data, Control Tour World 

9 Better Living Through Functions: String and Custom Functions 

10 Rules for Replacement: Regular Expressions 

11 Drawing Dynamic Graphics: Visualizing Tour Data... and More! 

12 Interfacing to the World: Syndication and Web Services 

i The Top Ten Topics (We Didn’t Cover): Leftovers 

ii A Place to Play: Set Up a Development Environment 

iii Get Even More: Extend Tour PHP 


xxvii 

1 

59 

103 

159 

223 

295 

345 

417 

427 

501 

561 

605 

657 

713 

731 

749 


Table of Contents ({he peal firing) 

Intro 

Your brain on PHP & MySQL. Here you are trying to learn something, 
while here your brain is doing you a favor by making sure the learning doesn’t stick. 
Your brain’s thinking,"Better leave room for more important things, like which wild 
animals to avoid and whether underwater yoga is a bad idea.”So how do you trick 
your brain into thinking that your life depends on knowing PHP and MySQL? 
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add Met ?ymr static pages 

It’s Alive 

You’ve been creating great web pages with HTML, and 

a sprinkling of CSS. But you’ve noticed that visitors to your site can’t do 
much other than passively look at the content on the pages. The communication’s 
one-way, and you’d like to change that. In fact, you’d really like to know what your 
audience is thinking. But you need to be able to allow users to enter information 
into a web form so that you can find out what’s on their minds. And you need to be 
able to process the information and have it delivered to you. It sounds as if you’re 
going to need more than HTML to take your site to the next level. 



HTML is static and boring 

PHP brings web pages to life 

A form helps Owen get the whole story 

Forms are made of HTML 

The HTML form has problems 

HTML acts on the client 

PHP acts on the server 

PHP scripts run on the server 
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Even plain text can be for matted... a little 

Newlines need double-quoted strings 

Assemble an email message for Owen 
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Owen starts getting emails 
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cgnnectlng t9 My^QL 

How it fits together 

Knowing how things fit together before you start building is 

a good idea. You’ve created your first PHP script, and it’s working well. But getting 
your form results in an email isn’t good enough anymore. You need a way to save the 
results of your form, so you can keep them as long as you need them and retrieve them 
when you want them. A MySQL database can store your data for safe keeping. But you 
need to hook up your PHP script to the MySQL database to make it happen. 



The new report form is great, but 
now I’m getting too many emails. I can't 
drink enough caffeine to go through 
them all when I first receive them. 


Owen’s PHP form works well. Too well... 60 
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cveette and populate a dsttsbsise 

Creating your own data 

You don’t always have the data you need. 

Sometimes you have to create the data before you can use it. And sometimes 
you have to create tables to hold that data. And sometimes you have to create 
the database that holds the data that you need to create before you can use it. 
Confused? You won’t be. Get ready to learn how to create databases and tables 
of your very own. And if that isn’t enough, along the way, you’ll build your very first 
PHP & MySQL application. 



The Elvis store is open for business 104 
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First things first, grab the data 135 
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Sometimes people want out 146 

Removing data with DELETE 147 

Use WHERE to DELETE specific data 148 

Minimize the risk of accidental deletions 149 

MakeMeElvis.com is a web application 154 
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realistic and practical appllccitlons 

Your Application on the Web 

Sometimes you have to be realistic and rethink your plans. 

Or plan more carefully in the first place. When your application’s out there on the Web, 
you may discover that you haven’t planned well enough. Things that you thought would 
work aren’t good enough in the real world. This chapter takes a look at some real-world 
problems that can occur as you move your application from testing to a live site. Along 
the way, we’ll show you more important PHP and SQL code. 
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Elmer has some irritated customers 160 

Protecting Elmer from...Elmer 163 

Demand good form data 164 
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Working With dctta stored in ?!les 

When a database just isn’t enough 

Don't believe the hype...about databases, that is. Sure, they 

work wonders for storing all kinds of data involving text, but what about binary 
data? You know, stuff like JPEG images and PDF documents. Does it really make 
sense to store all those pictures of your rare guitar pick collection in a database 
table? Usually not. That kind of data is typically stored in files, and we'll leave it in 
files. But it’s entirely possible to have your virtual cake and eat it too — this chapter 
reveals that you can use files and databases together to build PHP applications 
that are awash in binary data. 
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The proof is in the picture 225 
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Planning for image file uploads in Guitar Wars 231 

The high score database must be ALTERed 232 

How do we get an image from the user? 236 

Insert the image filename into the database 238 

Find out the name of the uploaded file 239 

Where did the uploaded file go? 244 

Create a home for uploaded image files 248 

Shared data has to be shared 254 

Shared script data is required 255 

Think of require_once as "insert" 256 

Order is everything with high scores 258 

Honoring the top Guitar Warrior 261 

Format the top score with HTML and CSS 262 

Only small images allowed 267 

File validation makes the app more robust 268 

Plan for an Admin page 272 

Generate score removal links on the Admin page 275 

Scripts can communicate with each other 276 

Of GETs and POSTs 278 

GET, POST, and high score removal 280 

Isolate the high score for deletion 283 

Control how much you delete with LIMIT 284 


XIV 


























table of contents 



securing your appliccttlon 

ssume they’re all out to get you 


our parents were right: don’t talk to strangers, orat least don t 

trust them. If nothing else, don’t give them the keys to your application data, assuming 
they’ll do the right thing. It’s a cruel world out there, and you can’t count on everyone to 
be trustworthy. In fact, as a web application developer you have to be part cynic, part 


conspiracy theorist. Yes, people are generally bad and they’re definitely out to get you! 
OK, maybe that’s a little extreme, but it’s very important to take security seriously and 


design your applications so that they’re protected against anyone who might choose to 


do harm. 
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The day the music died 
Where did the high scores go? 
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LmMfng personali^cl web apps 


7 Remember me? 

No one likes to be forgotten, especially users of web 

applications. If an application has any sense of “membership，” meaning that 
users somehow interact with the application in a personal way, then the application 


needs to remember the users. You’d hate to have to reintroduce yourself to 
your family every time you walk through the door at home. You don’t have to 
because they have this wonderful thing called memory. But web applications don’t 
remember people automatically - it’s up to a savvy web developer to use the tools 
at their disposal (PHP and MySQL, maybe?) to build personalized web apps that 
can actually remember users. 
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eliminate duplicate code 

Sharing is caring 

Umbrellas aren’t the only thing that can be shared, in any web 

application you’re bound to run into situations where the same code is duplicated in 
more than one place. Not only is this wasteful, but it leads to maintenance headaches 
since you will inevitably have to make changes, and these changes will have to be 
carried out in multiple places. The solution is to eliminate duplicate code by sharing 
it. In other words, you stick the duplicate code in one place, and then just reference that 
single copy wherever you need it. Eliminating duplicate code results in applications that 
are more efficient, easier to maintain, and ultimately more robust. 
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Rebuilding Mismatch from a template 

Rebuild Mismatch with templates 

Mismatch is whole again...and much better organized 
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control your data, control your world 

Harvesting data 

There’s nothing like a good fall data harvest. An abundance of 

information ready to be examined, sorted, compared, combined, and generally 
made to do whatever it is your killer web app needs it to do. Fulfilling? Yes. But like real 
harvesting, taking control of data in a MySQL database requires some hard work and 
a fair amount of expertise. Web users demand more than tired old wilted data that’s dull 
and unengaging. They want data that enriches...data that fulfills...data that’s relevant. 

So what are you waiting for? Fire up your MySQL tractor and get to work! 
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string and custom fonctlons 

Better living through functions 

Functions take your applications to a whole new level. 

You’ve already been using PHP’s built-in functions to accomplish things. Now it’s time to 
take a look at a few more really useful built-in functions. And then you’ll learn to build 
your very own custom functions to take you farther than you ever imagined it was 
possible to go. Well, maybe not to the point of raising laser sharks, but custom functions 
will streamline your code and make it reusable. 
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regular expressions 

Rules for replacement 

String functions are kind of lovable. But at the same time, 

they’re limited. Sure, they can tell the length of your string, truncate it, 
change certain characters to other certain characters. But sometimes you need 
to break free and tackle more complex text manipulations. This is where regular 
expressions can help. They can precisely modify strings based on a set of 
rules rather than a single criterion. 


First Name: Jimmy 

Phone: 636 4652 
Desired Job: Ninja 
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Drawing dynamic graphics 

Sure, we all know the power of a good query and a bunch of 

juicy results. But query results don’t always speak for themselves. Sometimes 
it’s helpful to cast data in a different light, a more visual light. PHP makes it possible 
to provide a graphical representation of database data: pie charts, bar charts, 


Venn diagrams, Rorschach art, you name it. Anything to help users get a grip on the 


data flowing through your application is game. But not all worthwhile graphics in PHP 
applications originate in your database. For example, did you know it’s possible to 
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sync[!cciti9n and Web services 

Interfacing to the world 

It’s a big world out there, and one that your web 
application can’t afford to ignore. Perhaps more importantly, you d 
rather the world not ignore your web application. One excellent way to tune the 



world in to your web application is to make its data available for syndication, which 
means users can subscribe to your site’s content instead of having to visit your 
web site directly to find new info. Not only that, your application can interface to 
other applications through web services and take advantage of other people’s data 
to provide a richer experience. 



Many regular web 
browsers also let you 
browse M push” content 
that quickly reveals 
the latest news posted 
to a web site. 


Even mobile devices provide 
access to M push” content 
that is automatically 
delivered when something 
on a web site changes. 
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The Top Ten Topics (we didn’t cover) 

Even after all that, there’s a bit more. There are just a few more things 
we think you need to know. We wouldn’t feel right about ignoring them, even though 
they only need a brief mention. So before you put the book down, take a read through 
these short but important PHP and MySQL tidbits. Besides, once you’re done here, all 
that’s left are a couple short appendices... and the index... and maybe some ads... and 
then you’re really done. We promise! 
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set up a (JeVelopment environment 

A place to play 

You need a place to practice your newfound PHP and 
MySQL skills without making your data vulnerable on the 

web. It’s always a good idea to have a safe place to develop your PHP application 
before unleashing it on the world (wide web). This appendix contains instructions for 
installing a web server, MySQL, and PHP to give you a safe place to work and practice. 
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extend your php 

Get even more 

Yes, you can program with PHP and MySQL and create 

great web applications. But you know there must be more to it. And 
there is. This short appendix will show you how to install the mysqli extension and 
GD graphics library extension. Then we’ll mention a few more extensions to PHP 
you might want to get. Because sometimes it’s okay to want more. 


Extending your PHP 750 

And on the Mac... 753 
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how to use this book 


Who is this book for? 


If you can answer “yes” to all of these: 

Are you a web designer with HTML or XHTML experience 
and a desire to take your web pages to the next level? 


② 


Do you want to go beyond simple HTML pages to learn, 
understand, and remember how to use PHP and 
MySQL to build web applications? 


③ 


Do you prefer stimulating dinner party conversation to 
dry, dull, academic lectures? 


this book is for you. 


Who should probably back away from this book? 


If you can answer “yes” to any of these: 


① 


Are you completely unfamiliar with basic 
programming concepts like variables and loops? 


(But even if you’ve never programmed before, you’ll 
probably be able to get the key concepts you need from 
this book.) 


② 


Are you a kick-butt PHP web developer looking for a 
reference book? 


③ 


Are you afraid to try something different? Would you 
rather have a root canal than mix stripes with plaid? Do 
you believe that a technical book can't be serious if it 
creates an alien abduction database? 


this book is not for you. 



-this book is 
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the intro 


Wc know what youVe thinking 

u How can this be a serious PHP and MySQL book?” 


“What’s with all the graphics?” 




“Can I actually learn it this way?” 

Wc know what your brain is thinking 




Your brain craves novelty. It’s always searching, scanning, waiting for something 
unusual. It was built that way, and it helps you stay alive. 


So what does your brain do with all the routine, ordinary, normal things you 
encounter? Everything it can to stop them from interfering with the brain’s 
real]oh — recording things that matter. It doesn’t bother saving the boring 
things; they never make it past the “this is obviously not important” filter. 

How does your brain know what’s important? Suppose you’re out for a 
day hike and a tiger jumps in front of you, what happens inside your head 
and body? 


And there’s no simple way to tell your brain, “Hey brain, thank you 
very much, but no matter how dull this book is, and how little I’m 
registering on the emotional Richter scale right now, I really do want 
you to keep this stuff around.” 


Neurons fire. Emotions crank up. Chemicals surge. 
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And that’s how your brain knows... 


This must be important! Don’t forget it! 


Great. Only 750 
more dull, dry, 
boring pages. 






sd^ 


But imagine you’re at home, or in a library. It’s a safe, warm, tiger-free zone 
You’re studying. Getting ready for an exam. Or trying to learn some tough 
technical topic your boss thinks will take a week, ten days at the most. 


Just one problem. Your brain’s trying to do you a big favor. It’s trying 
to make sure that this obviously non-important content doesn’t clutter 
up scarce resources. Resources that are better spent storing the really 
big things. Like tigers. Like the danger of fire. Like how to quickly 
hide the browser window with the YouTube video of space alien 
footage when your boss shows up. 
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the intro 


Metacognition: thinking about thinking 

If you really want to learn, and you want to learn more quickly and more 
deeply, pay attention to how you pay attention. Think about how you think. 
Learn how you learn. 

Most of us did not take courses on metacognition or learning theory when we 
were growing up. We were expected to learn, but rarely taught to learn. 


I wonder how 
I can trick my brain 
into remembering 
this stuff... 



But we assume that if you’re holding this book, you really want to learn how 
to build database-driven web sites with PHP and MySQL. And you probably 
don’t want to spend a lot of time. If you want to use what you read in this 
book, you need to remember what you read. And for that, you’ve got to understand 
it. To get the most from this book, or any book or learning experience, take 
responsibility for your brain. Your brain on this content. 


The trick is to get your brain to see the new material you’re learning as 
Really Important. Crucial to your well-being. As important as a tiger. 
Otherwise, you’re in for a constant battle, with your brain doing its best to 
keep the new content from sticking. 


So just how DO you get your brain to treat PHP & 
MySQL like it was a hungry tiger? 


There’s the slow, tedious way, or the faster, more effective way. The 

slow way is about sheer repetition. You obviously know that you are able to learn 


and remember even the dullest of topics if you keep pounding the same thing into your 
brain. With enough repetition, your brain says, “This doesn’t feel important to him, but he 
keeps looking at the same thing over and over and over, so I suppose it must be.” 

The faster way is to do anything that increases brain activity, especially different 
types of brain activity. The things on the previous page are a big part of the solution, 
and they’re all things that have been proven to help your brain work in your favor. For 
example, studies show that putting words within the pictures they describe (as opposed to 
somewhere else in the page, like a caption or in the body text) causes your brain to try to 
makes sense of how the words and picture relate, and this causes more neurons to fire. 
More neurons firing = more chances for your brain to get that this is something worth 
paying attention to, and possibly recording. 


A conversational style helps because people tend to pay more attention when they 
perceive that they’re in a conversation, since they’re expected to follow along and hold up 
their end. The amazing thing is, your brain doesn’t necessarily care that the “conversation” 
is between you and a book! On the other hand, if the writing style is formal and dry, your 
brain perceives it the same way you experience being lectured to while sitting in a roomful 
of passive attendees. No need to stay awake. 


But pictures and conversational style are just the beginning... 
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lio\rV-o\r movies 


Here's what WE did: 

We used pictures, because your brain is tuned for visuals, not text. As far as your brain’s 
concerned, a picture really is worth a thousand words. And when text and pictures work 
together, we embedded the text in the pictures because your brain works more effectively 
when the text is within the thing the text refers to, as opposed to in a caption or buried in the 
text somewhere. 

We used redundancy : saying the same thing in different ways and with different media types, 
and multiple senses, to increase the chance that the content gets coded into more than one area 
of your brain. 

We used concepts and pictures in unexpected ways because your brain is tuned for novelty, 
and we used pictures and ideas with at least some emotional content, because your brain 
is tuned to pay attention to the biochemistry of emotions. That which causes you to feel 
something is more likely to be remembered, even if that feeling is nothing more than a little 

humor, surprise, or interest. 

We used a personalized, conversational style, because your brain is tuned to pay more 
attention when it believes you’re in a conversation than if it thinks you’re passively listening 
to a presentation. Your brain does this even when you’re reading. 



We included more than 80 activities, because your brain is tuned to learn and remember 
more when you do things than when you read about things. And we made the exercises 
challenging-yet-do-able, because that’s what most people prefer. 

We used multiple learning styles, because joz/ might prefer step-by-step procedures, while 
someone else wants to understand the big picture first, and someone else just wants to see 
an example. But regardless of your own learning preference, everyone benefits from seeing the 
same content represented in multiple ways. 




We include content for both sides of your brain, because the more of your brain you 
engage, the more likely you are to learn and remember, and the longer you can stay 
focused. Since working one side of the brain often means giving the other side a chance 
to rest, you can be more productive at learning for a longer period of time. 



QST DRIVQ 


And we included stories and exercises that present more than one point of view } 
because your brain is tuned to learn more deeply when it’s forced to make evaluations and 
judgments. 


We included challenges, with exercises, and by asking questions that don’t always have 
a straight answer, because your brain is tuned to learn and remember when it has to work at 
something. Think about it — you can’t get your body in shape just by watching people at the 
gym. But we did our best to make sure that when you’re working hard, it’s on the right things. 
TYidityou 9 re not spending one extra dendrite processing a hard-to-understand example, 
or parsing difficult, jargon-laden, or overly terse text. 

We people. In stories, examples, pictures, etc., because, well, because a person. 
And your brain pays more attention to people than it does to things. 
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Here's what YOU caw do to bend 
your brain into submission 

So, we did our part. The rest is up to you. These tips are a 
starting point; listen to your brain and figure out what works 
for you and what doesn’t. Try new things. 


Slow down. The more you understand, 
the less you have to memorize. 

Don’t just read. Stop and think. When the 
book asks you a question, don’t just skip to the 
answer. Imagine that someone really is asking 
the question. The more deeply you force your 
brain to think, the better chance you have of 
learning and remembering. 


^6^ Talk about it. Out loud. 

Speaking activates a different part of the brain. 

If you’re trying to understand something, or 
increase your chance of remembering it later, say 
it out loud. Better still, try to explain it out loud 
to someone else. You’ll learn more quickly, and 
you might uncover ideas you hadn’t known were 
there when you were reading about it. 


( 2 ) Do the exercises. Write your own notes. 

We put them in, but if we did them for you, 
that would be like having someone else do 
your workouts for you. And don’t just look at 
the exercises. Use a pencil. There’s plenty of 
evidence that physical activity while learning 
can increase the learning. 

^3^ Read the “There are No Dumb Questions” 

That means all of them. They’re not optional 
sidebars — they } re part of the core content! 

Don’t skip them. 


^7^ Listen to your brain. 

Pay attention to whether your brain is getting 
overloaded. If you find yourself starting to skim 
the surface or forget what you just read, it’s time 
for a break. Once you go past a certain point, you 
won’t learn faster by trying to shove more in, and 
you might even hurt the process. 

Feel something. 

Your brain needs to know that this matters. Get 
involved with the stories. Make up your own 
captions for the photos. Groaning over a bad joke 
is still better than feeling nothing at all. 


^4^ Make this the last thing you read before 
bed. Or at least the last challenging thing. 

Part of the learning (especially the transfer to 
long-term memory) happens after yow put the 
book down. Your brain needs time on its own, to 
do more processing. If you put in something new 
during that processing time, some of what you 
just learned will be lost. 

( 5 ^ Drink water. Lots of it. 

Your brain works best in a nice bath of fluid. 
Dehydration (which can happen before you ever 
feel thirsty) decreases cognitive function. 




Write a lot of code! 

There’s only one way to learn to program: writing 
a lot of code. And that’s what you’re going to 
do throughout this book. Coding is a skill, and the 
only way to get good at it is to practice. We’re going 
to give you a lot of practice: every chapter has 
exercises that pose problems for you to solve. Don’t 
just skip over them — a lot of the learning happens 
when you solve the exercises. We included a solution 


to each exercise — don’t be afraid to peek at the 
solution if you get stuck! (It’s easy to get snagged on 
something small.) But try to solve the problem before 
you look at the solution. And definitely get it working 
before you move on to the next part of the book. 
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how to use this book 


Read Me 


This is a learning experience, not a reference book. We deliberately stripped out everything 
that might get in the way of learning whatever it is we’re working on at that point in the 
book. And the first time through, you need to begin at the beginning, because the book 
makes assumptions about what you’ve already seen and learned. 

We begin by teaching simple programming concepts and database 
connection basics, then more complicated PHP functions 
and MySQL statements, and finally more complex application 
concepts. 

While it’s important to create applications that allow users to add data to and retrieve data 
from your web application, before you can do that you need to understand the syntax of 
both PHP and MySQL. So we begin by giving you PHP and MySQL statements that 
you can actually try yourself. That way you can immediately do something with PHP and 
MySQL, and you will begin to get excited about them. Then, a bit later in the book, we 
show you good application and database design practices. By then you’ll have a solid grasp 
of the syntax you need, and can focus on learning the concepts. 

We don’t cover every PHP and MySQL statement, function, or 
keyword. 

While we could have put every single PHP and MySQL statement, function, and keyword 
in this book, we thought you’d prefer to have a reasonably liftable book that would teach 
you the most important statements, functions, and keywords. We give you the ones you 
need to know, the ones you’ll use 95 percent of the time. And when you’re done with this 


book, you’ll have the confidence to go look up that function you need to finish off that 
kick-ass application you just wrote. 


You dan adtually use PttP ^ 
book by makmj a 

todc CV^k ou*t #1 
o-f »• 



We support PHP 5 and MySQL 5.0. 


Because so many people still use PHP 4 or 5, we avoid any PHP 4, 5, or 6 specific code 
wherever possible. We suggest you use PHP 5 or 6 and MySQL 5 or 6 while learning the 
concepts in this book. In developing this book, we focused on PHP 5 and MySQL 5, while 
making sure our code was compatible with later versions. 

You need a web server that supports PHP. 

PHP has to be run through a web server to work correctly. You need Apache or some other 
web server installed on your local machine or a machine to which you have some access 
so that you can run MySQL commands on the data. Check out Appendixes ii and iii for 
instructions on how to install and extend PHP and MySQL. 
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We use MySQL. 


While there’s Standard SQL language, in this book we focus on the particular syntax 
of MySQL. With only a few syntax changes, the code in this book should work with 
Oracle, MS SQL Server, PostgreSQL, DB2, and quite a few more Relational Database 
Management Systems (RDBMSs) out there. You’ll need to look up the particular PHP 
functions and syntax if you want to connect to these other RDBMSs. If we covered 
every variation in syntax for every command in the book, this book would have many 
more pages. We like trees, so we’re focusing on MySQL. 

The activities are NOT optional. 

The exercises and activities are not add-ons; they’re part of the core content of the book. 
Some of them are to help with memory, some are for understanding, and some will help 
you apply what you’ve learned. Don } t skip the exercises. The crossword puzzles are 
the only thing you don’t have to do, but they’re good for giving your brain a chance to 
think about the words and terms you’ve been learning in a different context. 


The redundancy is intentional and important. 

One distinct difference in a Head First book is that we want you to really get it. And we 
want you to finish the book remembering what you’ve learned. Most reference books 
don’t have retention and recall as a goal, but this book is about learnings so you’ll see some 
of the same concepts come up more than once. 


The examples are as lean as possible. 

Our readers tell us that it’s frustrating to wade through 200 lines of an example looking 
for the two lines they need to understand. Most examples in this book are shown within 
the smallest possible context, so that the part you’re trying to learn is clear and simple. 
Don’t expect all of the examples to be ultra robust, or always complete — they are written 
specifically for learning, and aren’t necessarily fully-functional. 

We’ve placed all of the example code and applications on the Web so you can copy and 
paste parts of them into your text editor or MySQL Terminal, or upload them as-is to 
your own web server for testing. You’ll find it all at 

http:/ / www.headfirstlabs.com/books/hfphp/ 


Several of the examples 
-Pull—blov/h y/cb 
applidatiohs -that do some 
powcv-Pul things. 


The Brain Power exercises don’t have answers. 


For some of them, there is no right answer, and for others, part of the learning 
experience of the Brain Power activities is for you to decide if and when your answers 
are right. In some of the Brain Power exercises, you will find hints to point you in the 
right direction. 
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safari books online 


Safari© Pooks Online 


Safari .》 

Books Online 


When you see a Safari® icon on the cover of your favorite 
technology book that means the book is available online 
through the O’Reilly Network Safari Bookshelf. 


Safari offers a solution that’s better than e-books. It’s a virtual library that lets you 
easily search thousands of top tech books, cut and paste code samples, download 
chapters, and find quick answers when you need the most accurate, current 
information. Try it for free at http : // safari . oreilly. com. 
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1 add life to your st^ltic pages 


參 + 


IVs Alive 考 



You’ve been creating great web pages with HTML, and a 

sprinkling of CSS. But you’ve noticed that visitors to your site can’t do much other 
than passively look at the content on the pages. The communication’s one-way, and you’d 
like to change that. In fact, you’d really like to know what your audience is thinking. But 
you need to be able to allow users to enter information into a web form so that you can 
find out what’s on their minds. And you need to be able to process the information and 
have it delivered to you. It sounds as if you’re going to need more than HTML to take 
your site to the next level. 


this is a new chapter 



sometimes just HTML isn’t enough 


HTML is static and boring 


HTML’s great for creating web pages, that much we already know. But 
what about when you need web pages that actually do something? 
Suppose you need to search a database or send an email... what then? 
HTML falls short because it’s a pretty lifeless language, designed for 
displaying information that never changes. 



is ytai VO'* 
sKa^rc a pitWc o+ 
uv* 七 … 一七 饩 0 七 so 七 

You *to m 七七 

七 h v\s'i*bov-s *to Y ou，r s, ^ c * 




The WT^/|L Code ih "these 
pages is dctcv-mihcd 
wheh the web dcvclopcv- 
the pa^es. 




Client web 
browser 




Web server 


r 二 5:4 ㈣ 

a,a 叶 rt 伤七 ^ a sc ^ cv， 
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0 





TV v/cb scv-vc\r is 
IWrbed *to sc^rvmj 

uf one static HTML 
pay 3-f*bcv a\r\o*t^cv-. 


Witk pure HTML 


The web server’s a big part of the problem with lifeless HTML 
since it serves as nothing more than a boring delivery mechanism. 
A browser requests a page, the server responds with HTML, end 
of story. To turn web sites into interactive web applications, 
the web server has to take on a new, more dynamic role... a role 
made possible by PHP. 


wet pages, tke server 
simply serves up 

static HTML tkat can 

only display content. 
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add life to your static pages 


^ a liUlc help 

PHP brings web jrnges to life " ihe se ^ ! 

PHP allows you to manipulate web page content on the server]\x^t 
before a page is delivered to the client browser. It works like this: 

A PHP script runs on the server and can alter or generate HTML 
code at will. An HTML web page is still delivered to the browser, 
which doesn’t know or care that PHP is involved in tweaking the 
HTML on the server. 


TV bvoy/sev still v-c^civcs 

v-c^ulav- HTML y/cb fays, 

but Codts 

dY^d^i^dlly by 

PHP OY\ SCVVCV-. 



The HTA1L CoAt ih "these 
pages is gchc\ratcd by PHP 

dyhami^oilly 
dcpchdihj oh whoi-t the web 
heeds. 


Witk PHP in tke 

mix, tke wet server 
is atle to dvnaniicallv 
generate HTML wet 

pages on tke lly. 

咖作扣 e sWcd 

二 the web s C ^v C ^ 

广 Pressed ahd 
r 仏⑶ delivered -to 

Q — b^owsc^ as HTML ?a ^ 


Web server 





Client web 
browser 


Pyramid HTML 

•m response *to pvoyamma-tid 

lo^'id m PHP sd\rip-b> makiir^ 

•them mdvcdibly -flexible- 





pttP Wifb 6 oy\*tam bo-tii 
rtTML We and PttP 仏叫七 
code drtcmmdov/ 七 he 

WTML todcs wa 命 la 七 cd. 


MySQL 

Database 


PttP s"to\rcs 3hd \rct\ricvcs 
data -Pv-om a debase 
ahd ihdo\rpo\ratcs the 
data ih-fco the HTML 
乙 ode that it gchcv-atcs. 
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sending out an (internet) sos 


l?ogs m space 

Meet Owen. Owen’s lost his dog, Fang. But finding his dog isn’t 
just a matter of searching the neighborhood. You see, Fang was 
abducted by aliens, which expands Owen’s search to the entire 
galaxy. Owen knows some HTML and CSS, and he thinks a 
custom web site may help solve his problem by allowing other 
people to share their own alien abduction experiences. 

But to get information from others, Owen’s going to need a 
web form that’s capable of receiving user input, lots of it, and 
notifying him about it. Not a problem — HTML has plenty of 
tags for whipping together web forms. 



. 



pcta.U avc skcUW/, W 七 ^ Ac 

kv>0Y/ f>was 

• ，山七 k sic/ m a beam 吵 t. 


0 ⑽ hows some HT/WL av\d 
CSS ahd thihks he might be 
able -to use -the web -to help 
■br 以 doy/h his do^ Fahg. 
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A form helps Owew get the whole story 


Owen’s new web site, AliensAbductedMe.com, aims to connect Owen 
with alien abductees who might be able to shed some light on Fang’s 
disappearance. Owen knows he needs an HTML form to solicit 
abduction stories from visitors and that it must find out if they’ve run 
into Fang during their interstellar journeys. But he needs your help 
getting it up and running. Here’s what he has in mind for the form. 


fft, 0 O AUm-. Mr 二 Ri.d-'n AIjduL.t.un 

Aliens Abducted Me - Report an Abduction 


Share your story of aUcn abduction'. 


First name: 

Last naicw: 

Whal is your email address 

枕 ldWithappeC 

How Ion 总 wtre ym 
Ho 评 mmy did ym see? 

What did they do lo you? 
Have v-nu wi'n m>. I* 


7 Yqs O O 







Anvtliing ynsii wanl tn sirlrt j 

■" Rgpurl /ifadiyi.iw' 


0\Ntv\ y/ar\*b *to v-CtcWc 3r\ 
email message *biic 
usev* submi*bs -foVm. 




rtcv-cs h\t field -fov- i\\t 
visVtov~’s cw\3*l 3(iclv"css. 


Owch wa^-b a physical 
dcs^v-iptioh o( the oiliehs. 


0^tY\ V^opcs Someone will 
a^sy/cv- yes, -tV^a-b sav/ 

OK\ 3l»C\r\ Sf3dC^V"3T*t- 


A^y dddi-tiohdl 

Jo hc\rc. 


What do you think of Owen’s HTML form? 


This -fov-rw is puve 100% 

^v-adc A WTMU 


Gan you think of any problems Owen might face when he tries to gather 
alien abduction data using this form? Go ahead, jot down your thoughts. 
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owen } s form html 


Forms are made of HTML 

Owen’s Report an Abduction form is built entirely out of HTML tags and 
attributes. There are text fields for most of the questions, radio buttons to 
find out if his visitor saw Fang, and a text area for additional comments. 
And the form is set up to deliver form data to Owen’s email address. 

W mail*to W d pV"0*totol 七 3llo>MS 
•fovm data *to be delWeved via email. 


K you heed a o 竹 

HTML eMtc\c 

ou 七 C— 七吖 I 午 0 ^ 衿 ca d 卜迕 

HTML WitK CSS & ><HTMU 

Owch will gc-t the doh-tchts 
o*P this -Poirrh "to hirw 3 七 
this entail addiress — 

O^s era'll address -to 
youirs "to iesi ou-t the -Pov-m. 


<p>Share your story of alien abduction : </p> 

〈form method= M post'^ action="mailto : owen@aliensabductedme. com ，'〉 

<label for="firstname M >First name : </label> 

: "text" id="firstname" name= M firstname" / ><br /> 

'lastname">Last name : </label> 

: "text" id= n lastname" name="lastname" / xbr / > 

email n >What is your email address?</label> |r>pu*t toijs tell "the -fov 


<input type: 
<label for= 
<input type: 


TW»s value tells ^ 

{p sc^d data. I be 

{\\t d'iWcv-cy\tc a l»*t 


<label for= 
Ur^ 

<input type: 


"to OCpcd 灼 . 


<label for= 
<input type: 
<label for= 
<input type: 
<label for= 


: ， 'text，' id= M email" name= M email" / xbr / > 
’whenithappened，，>When did it happen?</label> 

： M text" id= M whenithappened" name="whenithappened" / xbr / > 
’howlong n >How long were you gone?</label> 

： M text" id= M howlong" name= n howlong" / xbr / > 




howmany">How many did you see?</label> 


The type a*t*tvibu*tc tells -the 
-Pov-m adtio^ -to 


size= M 32 n / xbr / > 


/ xbr / > 


<input type="text M id="howmany" name= M howmany" / xbr / > 

<label for="aliendescription">Describe them : </label> 

<input type="text" id="aliendescription" name="aliendescription' 

<label for="whattheydid M >What did they do to you?</label> 

<input type= n text" id="whattheydid M name= M whattheydid" size= M 32' 

<label for="fangspotted M >Have you seen my dog Fang?</label> 

Yes <input id="fangspotted" name= n fangspotted" type= M radio n value= n yes" / > 

No <input id= M fangspotted" name="fangspotted" type="radio M value= M no" / xbr / > 
<img src="fang.jpg" width= M 100" height= M 175" 
alt="My abducted dog Fang. " / xbr / > 

<label for="other">Anything else you want to add?</label> 

<textarea id= M other" name= M other"></textareaxbr / > 

<input type="submit" value="Report Abduction" name="submit" / > 

</form> 


TKc -Pov-m is bvadketed 

d^d tlosc <-(*oVm> 




No suv-pviscs - the -Povm 
is puv-c, 100% HTML Code/ 


"The subrni-fc but-fcoh tells 
the -Poirirn io execute 
七 he -fov-rn adtioh. 
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add life to your static pages 



Tqst DriVQ 


Try out the Report an Abduction form. 


Download the code for the Report an Abduction web page from 
the Head First Labs web site at 

www. headf irstlabs . com/books/hfphp. It’s in the 
chap ter 01 folder. The folder contains Owen’s web form in 
report. html, as well as a style sheet (style. css) and an 
image of Fang (fang. jpg). 

Open the report. html page in a text editor and change 
Owen’s email address to yours. Then open the page in a web 
browser, enter some alien abduction information in the form, 
and click the Report Abduction button. 


謹 

style, css 


report.htm» far >9jpg 






Aliens Abducted Me - 

兄卜 yflur sbnry of ilicn ibduilion:: 

Fintt EiinM -： 

I .ml niunf ： 

Wbu.4 is vuur email addrebs? 
\yhta dbd n hBppw? 

Hnw mariv dirt jbu 
|>«cribt! chtma 
VKbM dW [iwy do c&y«J7 
ItavtiouiKtB mff dojiFiiig? 


Report an Abduction 


AJf 


Kjihr 

ii fn^ cfn; ^ Mfl * 林 n m 

\^iY4wtmb€t 

llhsun 



fcHk 自 rtn mrn 

takol r^'Cdbwi^UTO 



Submittihg the -Povm 
\rcsul-b ih -the -Pov-m daia 
getting emailed .sovt o(. 


The WTML ^ov-m doesn't kow 

V^ov/ bo anally 奶 d 扣 email 

广 ^cssay> so *rt delegates i\\t -task 
C -to user’s ovm era'll program. 



. 1 . 


1*^] Frptn ; 厂 1 


X 




AnvEhinp L'lw wanL In arlrt? 

' fcpo^Lteduilsun I 


^|K 9 SF f#T /N®. 


The -PoVm dd*kd lS^*t SC^*t *to 
Owtti unless *tV>c usev* manually 


r 


So, what do you think? Did you receive the form data 
as an email message in your Inbox? 
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mailto = bad idea 


The HTML form has problems 

Owen’s Report an Abduction form is up and running, but he doesn’t get 
much information from users. Is Fang’s abduction really such an isolated 
incident... or is something wrong with his form? Let’s see what the users 
have to say about it. 


I saw something like this in the 
Subject field ： ?When=AWhere= 
rm confused. 


O 




Nothing happened because my 
web browser has no default 
email client... whatever that is. 



O 



When I click the button, it opens 
my email program, Outlook, and 
doesn’t have anything I just spent 
15 minutes typing in the form! 


I had a blank email to fill out. All 
my carefully typed answers from 
the form were ignored. Someone 
should abduct this stupid form! 


o 



0 



Wh 广卜 Wow is 咖此 
^ OV " C k us 七 ' ^tioh thah ih^ovma-tioh 
visi-tovs -to his site. 


What’s going on here? Do you have any ideas 
about how to fix the form? 
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Yes- The HTML form code is fine, but mailto isn’t a good 
way to deliver form data. 

Owen’s form is perfectly fine until the user clicks the Report Abduction 
button. At that point you rely on mailto to package up the form data in 
an email. But this email doesn’t get sent automatically — it’s created in the 
default email program on the user’s computer instead. And the real kicker... 
the user has to send the email themselves in order for the data to get 
sent to you! So you have no control over the email delivery, meaning that it 
may or may not successfully make the trip from your web form through their 
browser to their email client and back to you as an email message. Not good. 

You need a way to take control of the delivery of the web form. More 
specifically, you need PHP to package the form data into an email message, 
and then make sure it gets sent. This involves shifting your attention from the 
client (HTML, mailto, etc.) to the server (PHP). 


TKc -fovm^s y/ov>dcv-ful 
uy>*til you Rcpov-t 

f[\)A\Atk\ov\ — all 
bc*U avc o-f-ff V 
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client-side versus server-side 


HTML acts ow the CLIENT 


Owen’s form is written in pure HTML with a mail to form 



The user fills out the 
form and submits it. 



0^itv\ oy 

、ay hot get 
七 he Cmdil- 


The form action tag tells 
the browser to ask the 
user’s email program to 
create an email. 


The user’s email program 
creates an email with the 
form data - it’s up to the user 
to actually send it to Owen. 





TKc SCV-VCV* ir^CVCV- 


ioudi^s *tKc data 
m*to >/cb 
-fovms use 


The server’s role here is limited to just delivering the web 
page to the browser. When the user submits the form, the 
browser (client!) is left to its own devices to work out how to get 
the form data sent via email. The client isn’t equipped to deliver 
form data — that’s a job for the server. 
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PHP acts ow the SERVER 


PHP lets you take control of the data a user types into the form by 
emailing it to you transparently. The user types his abduction story 
into the form, hits the Report Abduction button, and he’s done! The PHP 
code creates the email message, sends it to you, and then generates a web 
page confirmation for the user. 


rd like Owen's Report an 
Abduction web page, please. 


o The browser asks for 
Owen，s web page. 



0 


O 


O 


■r 


汁 ti iirr \ 




❺ The server responds with the 
HTML code for the web page 


Now, Td like to submit 
Owen’s Report an 
Abduction form, please. 


User fills out and submits the form, passing 
form data to a PHP script on the server. 


<form action 
report.php" 


I process the 
form information 
and send the 
email myself. 


o 





❺ 


The server sends an HTML 
confirmation to the browser. 



o The PHP script generates 
an HTML confirmation 


page and emails the form 
data to Owen. 



Check the boxes for where you think a PHP script belongs: 


0^tY\ is g,uav-ar\*tccdi -to 
a r>itcly ^ovma't'tcd entail- 


Client 


Server 


Both 


Neither 
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php is a server-side language 


?W scripts rim ow the server 

PHP code runs on the server and is stored in PHP scripts that 
usually have a . php file extension. PHP scripts often look a lot like 
normal HTML web pages because they can contain both HTML 
code and CSS code. In fact, when the server runs a PHP script the 
end result is always pure HTML and CSS. So every PHP script 
ultimately gets turned into HTML and CSS once it’s finished 
running on the server. 

Let’s take a closer look at how a PHP script changes the flow of 
Owen’s web form. 



o The client web browser requests an HTML web 
page，in this case，the Report an Abduction form. 


.UicEB .Ubductrf ?»l< - feswrl 





reporthtml 


o The server returns the HTML web page 


Ckkmg Rcpoirt Abdud-tioh 

submits the -Po\rr» data "to 

PHP sdv-ipt oh -the sc\rvc\r. 


❺ The user fills out the form and submits it ， 
causing the browser to pass along the form 
data to a PHP script on the server. 
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PHP is a server — side programitiingf 
language _ it runs on a wet server. 


❺ The server returns a pure HTML web page 
that was generated by the PHP script. 



o The email is 

delivered to 
Owen’s Inbox. 


Ov/Ch \rcdcivcs 
the email. - ^ 


T\\t PHP 

r\AY\S OY\ IVlC SCVVCV- 1 


AIBhk 


5 Abduc&Kl Sit ^ lUfMjfl nr 

m4 vne^wd 

'Ih t WsW* m 

E Bnca£ alteiH bb 


Abdurlkm 

ii!I»n 


Tiic usev sees 
y/cb pay. 




report.php 


f report.php 

o The server runs the PHP script, 

which sends an email and generates 
an HTML confirmation web page. 


Although -the page shows up 
3 php ih -the bvowsev, 

i tspuir C HTML at this pomi 


o The browser displays the 
confirmation web page. 
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the form action attribute 


Okay. But what actually 
causes a PHP script to 
get run on the server? 


O 



PttP Wifb. 


A form element’s action attribute is what connects a 
form to a PHP script, causing the script to run when 
the form is submitted. 

Forms are created using the HTML <f orm> tag, and every <f orm> 
tag has an action attribute. Whatever filename you set the action 
attribute to is used by the web server to process the form when it is 
submitted. So if Owen’s PHP script is named report. php, then the 
<f orm> tag that connects it to the form looks like this: 

<form action = "report.php n method = n post n > 

" .. 

When the user clicks the Report Abduction button in the form, the form 
/ action causes the report. php script to be run on the server to 
process the form data. 


report.html 


<html> 

<head> 

</head> e>AlienS AbdUCtSd MS - Re P° rt Abduction</title> 

<body> 

<h2>Aliens Abducted Me - Report an Abduction</h2> 
</head> " StYleSheet " ^P-'-text/css" href="st y le. css" 

<body> 

<h2>Aliens Abducted Me - Report an Abduction</h2> 


/> 


<^>Share your story of alien abduction:< 
^form method="po St " action="re P ort., nhr,"^ 

-r M 4J J —— -L- 

leTTylabe 


■ , , n - 1 - n - 1 - 上。 

. 此丄 ror=-txiaLname"^i l xiaL nartie 
〈input type="text" id="firstname' 


name: 


1 > 

firstname' 


/><br /> 


TV^c action atbriW 七 e of 
七 ,s 如^七 

causes i\\t PHP stvift -to 

vuy\ OY\ sevvev- ^l\\tY\ 

七 •fovw' is subw'i*t-*tcd» 



report, php 
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add life to your static pages 


there ^ are no o 

Dumb Questi9ns 


What does PHP stand for? 

PHP is an acronym that originally stood for Personal Home Pages. 
Somewhere along the way the acronym was changed to mean PHP: 
Hypertext Processor. The latter is considered a recursive acronym 
because it references itself—the acronym (PHP) is inside the acronym. 
Clever? Confusing? You decide! 

Even though my web browser shows that a web page has a 
name that ends in . php ， it’s still pure HTML? How is that? 

It's possible because the page originates as PHP code on the 
server but is transformed into HTML code before making its way to the 
browser So the server runs the PHP code and converts it into HTML code 
before sending it along to the browser for viewing. This means that even 
though a .php file contains PHP code, the browser never sees it—it only 
sees the HTML code that results from running the PHP code on the server. 

But don’t all web pages originate on the server, even pure 
HTML pages in .html files? 

Yes. All of the files for a web site are stored on the server—. html, 
.css, . php, etc. But they aren't all processed by the server. HTML and 
CSS files, as well as image files, are sent directly to the client browser 
without worrying about what’s actually inside them. PHP files are different 
because they contain code that’s processed and run on the web server. 

It’s not the PHP code that’s sent to the browser, it's the results of running 
the PHP code that are sent, and these results are pure HTML and CSS. 


you are here ► 
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your first php script 


Use PHP to access the form data 


So Owen needs a PHP script that can get the alien abduction form 
information to him more reliably than the mail to technique. Let’s create it. 
Don’t worry about understanding everything yet — we’ll get to that: 


PHP 

s*tav-t ou*t 
look'mj a lot l*»kc 

HTML web 阿 s. 


things get 

- this 

is the be^ihhih^ 

of the adiual 

PttP dodc. 



<html> 

<head> 

<title>Aliens Abducted Me - Report an Abduction</title> 
</head> 

<body> 

<h2>Aliens Abducted Me - Report an Abduction</h2> 


It’s pe\r*fed:ly rtov-mal 
-fo\r a PHP sdv-ipi -to 
mdude \rcgubv- WTtAL 
a^bbribirtes. 



<?php 

$when—it—happened = $_POST[ 1 whenithappened 1 ]; 
$how_long = $_POST[ 1 howlong']; 

$alien description = $ POST[* description *]; 

恤 g ， tted = y fangspGtted ，]; 

$email = $ POST['email']; 



Tins cir>*tiv-c blodk o^* 
sdvi p 七 toAt is PWP … 七 he 
vcs*t o( *tKc sdvif 七 is 
HTAIL- 





This dhuhk o( PHP 

乙 ode gv-abs the 

-Po\rm data so that 
i 七乙如 be displayed 
as pa\rt a 
^Oh-Piv-rwcl-tioh page. 


echo 'Thanks for submitting the form.<br / > *; 
echo 'You were abducted ' . $when_it—happened; 

echo ' and were gone for ' . $how—long . * <br 

echo 'Describe them : * . $alien—description . 
echo 'Was Fang there? ' . $fang_spotted . '<br 

echo 'Your email address is * . $email; 



tteve >wc use 

PHP bo 5 cir>cv-a*tc 

HTML todt -fv-om 
*tv>c -fovm dd*td- 


?> 


</body> 

</html> 


v)us*t like d hoirmal y/eb 
this PHP sdv-ip-t -finishes up by 
dlos'mj oui opch HTML tags. 
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add life to your static pages 



Tqst DriVQ 


Change Owen’s form to use a PHP script to process 
the form data. 

Create a new text file called report. php, and enter all of the code on 
the facing page. This is the script that will process Owen’s web form. 

The PHP script isn’t connected to the form yet, so open the 
report. html page in a text editor and change the form action to 
report. php instead of mailto. 

<form action = "report.php" method = "post"> 



report.html 



report.php 


Open the report. html page in a web browser, enter some alien 
abduction information in the form, and click Report Abduction. 




Aliens Abducted Me - Report an Abduction 

Shuiffc ^wir story pf ilicn alidiMJtkin: 


oy\ youir biro>wsc\r, 
you may sec a y/cb page y/ith 
sorwc Y/ci\rd 七 e 乂 t m ’七 
possibly jusi ?W? souvdc 
乙 ode -fov -the \rcpo\rtphp sdvipt 


First namiM 
I ■咖 n&ymr. 

Whut ii pur imaU laddrtfBs? 
Wbea did tt HapiKfi'? 

Kqh Ujur were yeu 
Kim. muny flit 
Docribe thvnr. 

WbBi dBif m- yw- 

Itavdiii ««i my dwFaflg? 


Jj5T" 


hLadvr 




lastKJwe，^r 

IlNhiT- 




19hr (|i 託 n mrn 

ulerd mcflbw-^UrO 


in /ibtJm-liPH 


Ar, rt„ 淑枯 AbAitu d M* - 

Aliens Abducted Me * Report an Abduction 

.娜 w 



• 門。 

btflTI I Jt 


^porr.juyt 



fw 


B I "57^ - - - — 

liftnoiB 9 wvir.wj • n ， rD7：| ^ Oil j-^v , 


■一霞 


Am.tbinp l-Ut vihj waniL to artii? 

f ftfep»grtteducli4jn ) 




S:: ?r ’ hnpi "一一⑽咖叫，心“，、, 

叫峨 5 似 / VUI 汾 

他如 U ㈣ Abd^ tBd _ 

P° t . 时 AbdyttJl^n-C/tsas 




Do you think this is how the PHP script is supposed to work? 
Write down why or why not，and what you think is going on. 
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putting php scripts on the server 


?W scripts must live ow a server! 



Unless you happen to have a web server running on your local computer, 
the report. php script can’t run when you submit the Report an 
Abduction form. Remember, PHP is a programming language, and it 
needs an environment to run in. This environment is a web server with 


PHP support. PHP scripts and web pages that rely on the scripts must 
be placed on a real web server, as opposed to just opening a script 
directly from a local file system. 


you do have s web scv*vcv- 

•ms^alled loyally a^d i-t has 
PHP suppo\rt, thch you 
七 《 七 out PHP sMyis div-c^-tly 
Oh youv- lodal dorhputev-. 


Web browsers 
know nothing about 
PHP and, therefore, 
have no ability to 
run PHP scripts. 



緣 c HTML v/ck pays, 乙扣 

be oy^cd Ually …士 k'ov/scn 

PHP must alv/ays be opened 

a URL a v/cb server. 


This PHP sdv-ip-t 
•s jus-t a buhdli of 
r^cahihglcss 匕 ode "to 
"the web b\rowscV". 


Tiic v/cb sc\rvc\r 
ur\dcv-s*tair\ds i\\\s 

PHP Code ar>d 

vur\s 七 he s^vipt! 



A <\uuik way -to -tell i-f a web page 

' s ^ ih 9 by a web scv-vcv- is 

to look the URL stav-tmg with 
http-* . Wc\> pages opchcd as lo^al 
+il « always stav-t with %\ t ： v . 



Web servers with PHP 
support are equipped to run 
PHP scripts and turn them 
into HTML web pages that 
browsers can understand. 


PHP scripts must te 
run on a wet server 
or tkey won’t work. 
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add life to your static pages 


fret your PHP scripts to the server 

It’s perfectly fine to create and edit PHP scripts on your local computer. But 
you need to put the files on a web server to run them. PHP files are often 
placed alongside HTML files on a web server. There’s nothing magical 
about putting PHP scripts on a web server — just upload them to a place 
where your web pages can access them. Uploading files to a web server 
requires the help of a utility, such as an FTP (File Transfer Protocol) utility. 



usually 

-foldcv- ov\ v/cb 
scv*vcv V/VlCV"C 

Y\oi all, v/ck -f lics 
arc s-toved- 


^losi Pftp s^v-ipts 
a ppca\r alongside othev- 
■pilcs ih "the -Poldcv* 
on tKc v/cb sevvev". 



report, html 


style, css fang.jpg 


Images av-c sometimes 
ytoved m ovm •foldcV' 
cm tVic wck server -for 
ov-jamz^tioir^al vedsems … 

bu*t 灼 o*t m tasc- 


Uploading your PHP scripts to a web server isn’t enough — that 
web server must also have PHP installed on it. Some web servers 
include PHP by default, some don’t. 


tWeiare nQ ^ 

Dumb Questi9ns 


How do I know if my web server has PHP installed? 

You could ask your web administrator or web hosting company, or you 
could just perform a little test yourself. Create a text file called test. php 
and enter the following code into it: 

TV»s asks PHP 
-to display 
about 


<?php 

phpinfo() 

?> 


Now upload test. php to your web server, and then enter its URL into 
a web browser. If PHP is installed on your server, you’ll see lots of detailed 
information about PHP, including its version. Bingo! 


o 



If you don’t have PHP 
installed on your web 
server, check out 
Appendix ii. 

You’ll find instructions here for getting PHP 
up and running on your web server. 


Remember -to delete 
stvift you donC> so 
y\o oy\c else da” see 
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test drive your php script 




Tesr DriVq 


Upload the Report an Abduction files to a web server ， 
and try out the form...again. 

Upload report. html, report. php, style . css, and fang. 
jpg to a web server that has PHP installed. Enter the URL of the 
report. html page into your browser, fill out the form with alien 
abduction information, and click the Report Abduction button. 



reP ° rt report.php fan 9JPg 




fV，O ~ Report an 


Aliens Abducted Me - Report an Abduction 

Share ymar stoiy of ilwn. jhduclion: 



First ■: 

I ■於 L nium 1 ： 

Wbul is vtiur email aESdreHS 1 ? 
VKbfcB It 

LeniiweK yaa stiue? 
Him. many did «*- 
IJentTibi? thems 
VyhBA ditf dwy do»yMJ 7 


|jUI— 



il frvJ« i TP 1 ! Hi ，㈣ n 鴻 ㈣ 

U5Ct«^«»nber 

~li han'1- 




kflk fii?Tn rwn 

Ktkcd mcdt?i?UrO 


The PttP sex'^i v/orks! I 七 
display 5 -form … a 
toy\-f'»v-w»atioy\ v/cb fay* 



^ n n 



■Hlfrii Mf ■ jn A^ucttpci 


Wl 

. 1 


Aliens Abducted Me - Report an Abd notion 

You were aMucetd lisi N'm'CFiiitKr and whc ； gooc Cdr i ] baura 
[JtsnllB Oicm: 

Wus Fung IhaE? m 

V ■: mr mnjiU iilfp.S 1 lhcvrnj.ll|.injcn j^im 


far JTrf. 


Aim Ehinp L'lyr- ynu wariL Ui arlrt? 



20 Chapter 1 




















add life to your static pages 


Cool. Now you just need to add 
some PHP code to take care of 
emailing the form data. 



That’s right. The report. php script’s still missing 
code to email the alien abduction data to Owen. 

But that’s not a problem because PHP offers a function, a pre-built 
chunk of reusable code, that you can use to send email messages. 
You just need to figure out what the email message needs to say 
and then use PHP to create and send it. 


Time out! We don’t even know how the 
original report.php script works, and now 
we're charging ahead into sending emails. 
This is like majorly overwhelming...hello!? 


O 


It’s true. Doing more with PHP requires 
knowing more about PHP. 

So in order to add email functionality to Owen’s 
report. php script, you’re going to have to dig a 
little deeper into PHP and get a solid handle on how 
the script works up to this point. 
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how php code turns into html 


The server turws PHP iwto HTML 

A big part of understanding how a PHP script works is getting a handle on 
what happens to the script when it runs on the server. Most PHP scripts 
contain both PHP code and HTML code, and the PHP’s run and turned 
into HTML before the server passes the whole thing off as HTML to the 
client web browser. In Owen’s report. php script, PHP code generates 
most of the HTML content in the body of the confirmation page. The 
HTML code surrounding it is delivered unchanged. 

丁 his HTML todt is passed alo^^ 
"fco the b\roy/scv*. 




</body> 

I </html> 

l 

Mo 代 static I+T/VIL dodc, wkidh 
ik sc\rvc\r passes aloh^ -to ike 
b\roy/sc\r with ho 
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add life to your static pages 


This HTML 匕 ode is Crtaitd 

by i\\t PHP 

sd.vip*t> v/iiidii alloy/s i*t *to do 
dool like blcr^d m -fovn 

data ^ j 必七 errteved. 


«__l 


TV ⑼ d vcsult -tiic PHP 
strip 七 is a pure HTML y/eb 
pay 七 ha 七 v^as dy^am»d-allY 
^cr\cv-a*tcd ov\ 七 sevvev-. 


— i*t doesh^t 


Dyhamie - | 七匕 halves 
cvcv~y 乇 som^ohe 
submi-ts 


"the -Povm/ 



<html> 

<head> 

</=^> 16> 姐咖 AbdUCted Me ' an Abduction</title> 

<body> 

<h2>Aliens Abducted Me - Report an Abduction</h2> 




Thanks for submitting the form.<br /> 

You were abducted last November and were ann^ -For- i i ^ 

Describe them: <br /> e g ° ne for 11 hours<br /> 

Was Fang there? no<br /> 

Your email address is alfn@theyreallgreen.com 


</body> 

</html> 


科 1 O _JWttrw Atefc>cr#d Kfr ■ Repon in Abductlofi 



AJiens Abducted Me - Report an Abduction 

T: ou were atJducwd Iasi Xowra&cr and were, gooc ar |] boura 
describe diem: 

Wiii, Fung Ihac? nt 

丫撕删 lUadilmM is ulfnSihcyiEaJliipMa 句 m 
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anatomy of owe^s php script 


Pecowstructiwg Owew's PHP script 

The report. php script is triggered by the Report an Abduction form, and 
its job (at the moment) is to take the form data and generate a confirmation 
web page. Let’s see how. 

The first chunk of code is pure HTML. It just sets up the page we’re building, 
including a few HTML tags required of all pages. 



<html> 

<head> 

<title>Aliens Abducted Me - Report 
</head> 

<body> 

<h2>Aliens Abducted Me - Report an 



an Abduction</title> 


Abduction</h2> 


Yes, -this HT/WL Code is 
pv-etty “I - ideally 
you’d have a VOCTYPB, 


<^cia> tic., but 
wcVc keeping things 
simple hcvc. 


Here’s where things start to get interesting. We’re ready to break out of 


HTML code and into PHP code. The <?php tag opens a section of PHP 


code 


everything following this tag is pure PHP. 


<?php 



f*v-om hcv*c v/cVc 
PHP dode … a 七 least u^til wc 
*to 七 he tlosm^ ?> 


This code grabs the form data and stores it away in individual variables so 


that we can easily access it later. PHP variables allow you to store values, be 
they numbers, text, or other kinds of data. 

$when_it_happened = $_POST['whenithappened*]; 
$how—long = $_POST['howlong']; 

$alien_description = $_POST['description *]; 


*P\rorw a -Po\rrh -field 
■feo a hew v^Hable. 


$fang_spotted = $_POST['fangspotted'] 
$email = $_POST[* email 1 ]; 


Now we’re talking! Here the variables we just created are put to work 
by inserting them into dynamically generated HTML code. The echo 
command outputs HTML code that gets returned directly to the web browser. 


echo 

echo 

echo 

echo 

echo 

echo 


Thanks for submitting the form.<br />'; 
You were abducted ' . $when—it—happened; 

and were gone for ' . $how—long . '<br 

Describe them : ' . $alien—description . 

Was Fang there? ' . $fang_spotted . * <br 

Your email address is ' . $email; 



TVis PHP Code blends 
vav-iablcs m*to HTML 
Code 七 haVs ou 七 f u 七 *to 

bvoy/sc\r. 


The ?> tag matches up with <?php and closes up a section of PHP code. 
From here on, we’re back to normal HTML code. 


?> <： 



This chds -the PHP todc - 

■this wcVc back io HTML. 


Now wrap up the page by closing out the HTML tags we opened earlier. 


</body> 

</html> \ - - Pon’ 七 wcVc ^ ttTAIL 

>/eb so v/vap up ■tKc HTML todc- 
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code 

A few PHP rules to Kve by 

Owen’s report. php script reveals a few fundamental rules of the PHP 
language that apply to all PHP scripts. Let’s take a look at them. 


/ PHP code is always enclosed b 


y <?php and ?>• 



/Wos 七 PttP shifts av-c just HT/WL web 
P a 9 cs with PHP ^odc thv-owh ih - these 

tags tell -the sc\rvc\r wha-t Code is PHP. 


Every PHP statement must end with a semicolon (;)• 


echo 'Thanks for submitting the form.<br /> 


^ y o 价 ^odt cvcv- bv-caks, 
-fco mdke suve you 
havch -t -Povgo-fc-tch s 
scmidoloh. li happens mov-e 
oftch iha^ you’d ihihk. 



The SCw\»£.oloir\ lc*ts PttP 
know i\\ai tVi'is is i\\t 
tv\A d s*ta*tcw»cy\t 


If there is any PHP code in a web page, its a good idea to 
name the file on the web server with .php, not .html. 



report, php 


TWis a deal bvcakc\r, but »*t's 

3 ^ood idcd bo ir\aw\C PttP s^v'lfts 

wi*th a -file 



PHP variable names must begin 


with a dollar sign ($). 



$ email 


丁 he dollav- sigh ^lcav-ly 

idch-ti-Pics a PHP vaHable ； 

v/hith s-to\rcs m-fov-ma-tioh 
within a PHP sdv-ipt. 


=$ POST['email']; 


Given the variables used in the report. php script, do you see 
any other PHP rules pertaining to variables? Write 6 em down! 
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variable naming rules 


Finding the perfect variable name 

In addition to starting with a $， PHP variable names are also are 
case-sensitive. But that’s not all — there are other important rules 
governing how you name variables. Some of these rules are syntax 
rules, meaning your code will break if you ignore them, while other 
rules are just good ideas passed down from wise old PHP coders. 

Let’s start with the official rules that will absolutely cause problems 
if you ignore them when naming variables. Follow these rules to 
create legal variable names. 


A variable is a 

container tkat you 
can store data in ， 
and every variable 
lias a unique name. 


gT 


The first character must be a dollar sign ($). 


6joi \i! 


variable name must be at least one character in length 

/The first character after the dollar sign can be a letter 
or an underscore ( ), and characters after that can be 
a letter, an underscore, or a number. 

/ Spaces and special characters other than and $ are 
not allowed in any part of a variable name. 


Not douhtihg -the f 乙 
v/liidh is \rc^ui\rcd o-p 

variable hx. 


Illegal! PHP vaviablc 

or spades. 


$email 


Legal 



Lc^al 



$how—long 



lllcjal/ Hyphens 
avW 七 allowed ’m 
PfiP variable 



when-it happened 


These rules will stop your code working if you don’t follow them, but 
there are a couple more rules that are good to follow as more of a 
coding convention. These rules help make PHP code a little more 
consistent and easier to read. 


alien description 


Illegal/ PHP variable 
hames must s-fcavt 

with B dolld\r sigh (f). 


/ Use all lowercase for variable names. 


Separate words in a multi-word variable name 
with underscores. 


These last two rules won’t break your code if you ignore them, and you’ll 
certainly run across PHP code that doesn’t adhere to them yet works just 
fine. This is because they are just a stylistic convention — but they will 
serve you well as you begin creating and naming variables of your own. 


PHP variable 

names must tegin 
witk a dollar 
sign, and cannot 
contain spaces. 
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Does it matter whether I put PHP 
commands in uppercase or lowercase? 


A ： 


Yes and no. For the most part, PHP 
isn’t case-sensitive, so you can get away 
with mixing the case of most commands. 
That means you can use echo, ECHO, 
or Echo when echoing content. However, 
as a matter of convention, it's a very good 
idea to be consistent with case in your 
scripts. Most PHP coders prefer lowercase 
for the vast majority of PHP code, which is 
why you'll see echo used throughout the 
example code in the book. 

So even if it’s a bad coding 
convention, I can mix and match the case 
of PHP code? 


A 


No, not entirely. The huge exception 
to the case insensitivity of PHP is variable 
names, which apply to data storage locations 
that you create. So let’s take the $ email 
variable used in the Report an Abduction 
script as an example. This variable name 
is case-sensitive, so you can’t refer to it as 
$EMAIL or $eMail. All variable names 
in PHP are case-sensitive like this, so it’s 
important to name variables carefully and 
then reference them consistently in your 
code. More on variable names in just a 
moment. 

Is it really OK to put both PHP and 
HTML code in the same file? 


A 


Absolutely. In fact, in many cases it’s 
absolutely necessary to do so. 



Why would I want to do that? 

A- 

r \^ Because the whole idea behind a web 
server is to serve up HTML web pages to 
browsers. PHP doesn't change that fact. 
What PHP allows you to do is change the 
HTML content on the fly with things like 
today’s date, data pulled from a database, 
or even calculated values such as the order 
total in a shopping cart. So PHP allows 
you to manipulate the HTML that goes into 
web pages, as opposed to them just being 
created statically at design time. It's very 
common to have HTML code for a page with 
PHP code sprinkled throughout to plug in 
important data or otherwise alter the HTML 
programmatically. 


Does PHP code embedded in an 
HTML file have to be on its own line, or 
can I embed it in an HTML line, like as 
part of an HTML tag attribute? 


A ： 


Other than needing to place your PHP 


code within the <?php and ?> tags, there 
are no restrictions in how you embed it in 
HTML code. In fact, it's often necessary to 
wedge a piece of PHP code into the middle 
of HTML code, like when you're setting the 
attribute of an HTML tag. This is a perfectly 
legitimate usage of PHP. 


I’ve seen PHP code that’s enclosed 
by <? as the start tag instead of <?php. 
Is that right? 


A ： 


Not really. Technically speaking, it's 


legal, but it isn’t recommended. A server 
setting must be enabled for the short open 


tag (<?) to work. The usual < ?php tag 
always works, so it's better to use that and 
know that your code will just work. 


If a web server always returns pure 
HTML code to a client browser, why do 
URLs show the PHP script name, like 
webpage.php? 

A- 

Jr \* Remember that every web page is 
the result of a two-sided communication 
involving a request from the client browser 
and a response from the web server. The 
URL is the basis of the request, while the 
content returned from the server is the 
response. PHP scripts are requested just 
like normal HTML web pages through URLs 
entered into the browser or linked from other 
pages, or as form actions. That explains why 
the URL for a PHP “page” shows the name 
of the PHP script. 

The other half of the equation is the 
response from the server, which is the 
resulting code that’s generated by the PHP 
script. Since most PHP scripts generate 
HTML code, it makes sense that the code 
is HTML and not PHP. So it’s no accident 
that a URL references a .php file on a server, 
which causes PHP code to be executed on 
the server, ultimately resulting in pure HTML 
content being returned to the browser. 

Can PHP variables store any other 
kinds of data? 

Absolutely. You can use variables to 
store Boolean (true/false) data. And numeric 
data can be either integer or floating-point 
(decimal). There are also arrays, which store 
a collection of data, as well as objects, which 
associate a collection of data with code that 
is used to manipulate the data. Arrays are 
covered a little later in this chapter, while 
objects are tackled in Chapter 12. There 
is also a special data type called NULL, 
which represents no value. For example, a 
variable that hasn’t been assigned a value is 
considered NULL. 
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add owen^ missing data 



O 


Either PHP's memory isn't all 
that good or there's something 
wrong with the script... there's 
some form data missing. 


O D Alifrw Report an, rtlxiucrin.~i 

Aliens Abducted Me - Report an Abduction 

gh irnstory of alien ihduction: 

First tiflJiM ：!： 

l.jal nauw. 

WbtLil b ^ur fnuii addrew 
Wbea M it hamwfl? 

Kqh_ LoruiweK yeu 坊 uc? 
liiiw mun^ dirt >aia 
rhswribe ihvmz 
WbBldMitlwy 
Ka ve i _ 浴 a mff dw r iiig 



灼 o n 


AliPn% 


M aliCh dcs^v-iptioh 
w 3 s dlc 3 \rly Ch*tc\rcd 
nvto the +ov-rn... 


—but the des^riptioh is 
^otidcably missihg *m the 
^Oh-Pi\rma'tioh web page. 



R^f»rr an Abducciofii 



Aliens Abduced Me - Kepori m Abduction 

If gu wck a^diKvfj/iasi Xoiifiraficr arna werc ifooc ftjr i ] 

CJescdbc Owm: ^ 

Wkii Fung lhoE?EHii 

YauiieiruiijasliIrcM bi .ilfaSlhc^'iEiJIj^Dcnizim 
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add life to your static pages 


:^l|^rpei your pencil 


There’s a problem with the alien description form data in Owen’s 
report.php script. Circle the lines of code that you think relate to 
the problem, and write down what they do. Any idea what’s wrong? 


<html> 


<head> 


<title>Aliens Abducted Me - Report an Abduction</title> 


</head> 


<body> 


<h2>Aliens Abducted Me - Report an Abduction</h2> 


<?php 


$when—it—happened = $_POST['whenithappened']; 
$how—long = $_POST['howlong']; 

$alien 一 description = $_POST['description']; 
$fang—spotted = $—POST['fangspotted'] 

$email = $—POST['email，]; 


echo 'Thanks for submitting the form.<br />'； 
echo 'You were abducted ' . $when—it—happened; 
echo I and were gone for ' . $how long . '<br />'; 
echo 'Describe them: ' . $alien—description • '<br /> 
echo 'Was Fang there? ' . $fang—spotted • '<br />'; 
echo 'Your email address is ' • $email; 


?> 


</body> 

</html> 



report, php 
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sharpen solution 


c^iharpen your pencil 

Solution 


TK'is Imc of dodc yaks 
{\\t alien dcsdviptio^ -fvom 
*tiic HTML -fovm -f ield ar>d 
s*fcovcs i*t 3 PttP vaviablc 
^dmed /all ⑼一 des 6 \rip 七 ion. 


This todc dombmes -the alien 
des 〜 _p 七 _cm y/iih some oihev ie^i 
3 灼 d ttTAIL CoAt) dK>d output dll 
o( ii -to ihc bmoy/sev. 


There’s a problem with the alien description form data in Owen’s 
report.php script. Circle the lines of code that you think relate to 
the problem, and write down what they do. Any idea what’s wrong? 



<html> 


<head> 


<title>Aliens Abducted Me - Report an Abduction</title> 


</head> 


<body> 


<h2>Aliens Abducted Me - Report an Abduction</h2> 


<?php 



$when—it—happened = $—POST['whenithappened']; 
$how—long = $—POST['howlong ， ]; 

^$alien_description = $—POST [，description 
$fang—spotted = $—POST['fangspotted'] 

$email = $_POST['email ']； 


echo 'Thanks for submitting the form.<br />'； 
echo 'You were abducted ' . $when—it—happened; 


echo I and were gone for ' . $how long . '<br />'; 


echo 'Describe them: ' . $alien_description . '<br /> 
echo 'Was Fang there? . $fang—spotted^ ' <br / >'； 
echo 'Your email address is ' • $email; 



?> 



</body> 

</html> 


Foy some veason i\^t fall ⑼一 咖 

variable affcav-s -to be 灼 0 七 5 00< ^* 


report, php 
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add life to your static pages 


Variables are for storing script data 


PHP variables are storage containers that store information kinda 
like how a cup stores a beverage. Since the $alien_de script ion 
variable is empty, we know that the form data is never making its way 
into it. So the $alien_de script ion variable remains empty 
despite our attempt to assign data to it. 


This is the 

the variable- 




$alien_description 


ovaV" is 
duvrerrtl'/ cw'fty- 




$alien_description 


% 代 looking -fo\r 3 dup 

that ovcir-flowctli with 
^ alieh dcsdv-iptioh/ 


One way to fix the script would be to just assign the exact string 
we’re expecting to the $ alien—description variable, like this: 


$alien—description 

Tiic c^ual *tclU PttP *to 

ass'i^y> value oy\ 

-to 七 he \/av"’iable o 灼 *bKc Ic-rt 



little green men 1 ; 



Pieces o( text ih PUP, also 
khovm as s-tvihjs, rwus-t dlwdys 
be Chdloscd by Quotes, cithcv- 
sihgle Quotes o\r double Quotes. 


This code works in that it most definitely stores the text ' little 
green men ' in the $alien—description variable. But we 
solved one problem by creating another one — this code causes the 
alien description to always be the same regardless of what the user 
enters into the form. 


Somehow the assignment of alien description form data to 
the $alien_description variable is coming up empty. 

$alien_description = $— POST ['description▼]; 

What do you think this code is doing wrong? 
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all about $ POST 


The problem obviously has something 
to do with that $_POST thingy. But 
I have no idea what it is. 


O 



The problem does have to do with $_POST, which is a 
mechanism used to pass along form data to a script. 

The dollar sign at the beginning of $—POST is a clue... $—POST is a 
storage container! More specifically, $_POST is a collection of storage 
locations used to hold data from a web form. In Owen’s case, it holds all 
the data that gets sent to our report. php script when someone fills out 
the form and clicks the Report Abduction button. So in order to access 
the form data and do anything with it, we have to go through $_POST. 
Remember this code? 


$when_it_happened = $_POST['whenithappened 1 ]; 


$how—long — $_POST['howlong']; 

$alien—description = $_POST[ 1 description *]; 
$fang_spotted = $_POST['fangspotted']; 



$email = $_POST['email']; 



deal c 依 ft 

era'll data 

yaWoc 令 and 如 r 卞 

av/ay m vayr,ablc * 


"The piede o-f -fo\rm data 
holding the duv-atioh 
the abdudtioh is assi^hed 
■to the variable fhow 一 lohg. 


So the data in each field of the Report an Abduction form is accessed 
using $_POST. But what exactly is $_POST." a variable? 
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add life to your static pages 


LPOST is a special variable that holds form data 


$—POST is a special variable that is known as a superglobal because it is built into 
PHP and is available throughout an entire script. $_POST already exists when your 
script runs — you don’t create it like you do other PHP variables. 


O O aiimvs W+ ■ Popart an ■ftMturrinn 

Aliens Abducted Me ^ Report an Abduction 

story of Alien. jhdiKtion: 


TKc / 一 POST supcv-^lobal 
holds p'icdc <Jc data 
cr\*tcvcd m*fco 七 -fovm. 



POST[ ， howlong，] 


First najttOL 
I.jaL nasTie: 

Whu* b vuur email addruis? 
Wiaeu < 3 ld it hfippffiT 
Koh LormwfeK HU kqh«? 
Btm. miMny did you 
rhscritw them: 

Wbaiditf ui*y cioi&yrwT 
liav« 5 ou 嫩 u im. dofiF MS? 


hJ^Pi 


it *cpr^ *IHa ■㈣ n 4 frm 

!«scKtw<mb«r 



tHk itwrn 
ulccd me UrO 

Y& O © 



V 




A nvthinp l-L^t vnu waniLt* arlrt? 






Me - Report an Abduction</title> 


<html> 

<head> 

<title>Aliens Abductec 
</head> 

<body> 

<h2>Aliens Abducted ]}je - Report an Abduction</h2> 

<?php . 

$when_it hap^Q^ =% post r ' ] . 
$how—long ^ ^PQST [ ' howlong '77^) 

$alien_descrxptIBn =^F^T-rr!escription ,]; 

$fang—spotted = $_POStT' fAngspotted'] 

$email = $_POST['email 1 ]； V 

echo 'Thanks for submitting \he form.<br /> 
echo jYou were abducted ' . $\hen_it_happened; 

and were gone for ' . $V)w_long . '<br />，； 
’Describe them: ' . $alien\description . '<br 
’Was Fang, there? ' . $fang_V)otted . ,<br / >' 

'Your email address is ， . $e\nail ； 


echo 

echo 

echo 

echo 


/> 


?> 

</body> 

</html> 


The $_POST superglobal is directly tied to the form submission 
method used by the HTML form. If the method’s set to post, then 
all of the form data gets packaged into the $_POST superglobal, 
where each piece of data can be plucked out and used as needed. 



report, php 



"The “howlohg” £omes -fv-orn 

"the 3't't\ribu'tc of "the 

< •… put> tag 4\r this -Pov-m -field. 


The -Po\rm submissioh method 
detev-mihes how the -Pov-rw data 
upplied -to -the PHP s^v-ipi 


report, html 


is s 





How do you think the $_post superglobal 
works? How can it store multiple values 
from all those text boxes on Owen’s form? 
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$_POST is an array 


令一 POST transports form data to your script 


$—POST is a special kind of PHP storage container known as an array, 
which stores a collection of variables under a single name. When someone 
submits Owen’s form, the data they’ve typed into the form fields is stored in 
the $_POST array, whose job is to pass the data along to the script. 

Each element in the $— POST array corresponds to a piece of data entered 
into a form field. To access the data for a specific form field, you use the 
name of the field with $_POST. So the duration of an abduction is stored 
in $_POST [ ' howlong 1 ]. The HTML code for Owen’s form reveals how 
form names relate to data stored in $ POST. 


Atirms At»duct«l Me - Rc-port aii AbducEion 

n iWT fddxTl 办 J All* 


<p>Share your story of alien abduction : </p> 

<form method="post" action="report.php"> 

'firstname">First name : </label> 
text" id="firstname" name="firstname 
'lastname">Last name : </label> 

: "text" id="lastname" name=" las tname" /xbr 
'email">What is your email address?</labe 
="text" id="email" name="email" /xbr 
'whenithappened" >When did it happ^j^^/label> 
text" id="whenithappened" namo^whenithappened 
'howlong">How long were you gon^?</label> 

="text" id="howlong" name="howlong" /xbr /> 

'howmany">How many did you aee?</label> 

text" id="howmany" name="llpwmany" /xbr /> 

'aliendescription">Describe \hem:</label> 

="text" id="aliendescription'\name="aliendescription 
'whattheydid">What did they d 入 to you?</label> 
text" id="whattheydid" name='\^hattheydid" sizek^32" /xbr 
'fangspotted">Have you seen my dVg Fang?</label> 

Yes <input id="fangspotted" name="fangspottec^! type="radio" Vc es 

No <input id="fangspotted" name="fangspotted" ^^pe="radio" valu^v"no 
<img src="fang.jpg" width="100" height="175" 
alt="My abducted dog Fang." /xbr /> 

<label for="other">Anything else you want to add?< 

<textarea name="other"x/textarea><br /> 

〈input type="submit" value="Report Abduction" name="sil unit" /> 

</form> 


<label for=' 
<input type: 
<label for=' 
<input type: 
<label for=' 
<input type: 
<label for=' 
<input type: 
<label for=' 
<input type: 
<label for=' 
<input type: 
<label for=' 
<input type: 
<label for=' 
<input type: 
<label for=' 






bel> 



Tke 令一 POST 

array is lilleJi 
witli tke 
values tke user 
entered into 
tke lorm. 



-f ield drtermmes V^ov/ 
1 七 is acusstd w’rtWm 
i\)t f_P0ST array. 


‘firstname 1 ^email 9 t howlong , < aliendescription , 

‘■astname , ‘whenithappened* ^howmany’ 



$ POST 



AH o-p the -Pov-rw data 
is tli\rou0li 

the f_?0ST av-v-ay. 
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add life to your static pages 


:^l|^rpei your pencil 


Rcmcmbcv, C^rliCV" 
y/e isolated 七 he 
^voblcw' do>MK\ *to 
ilicsc W> I'mcs 
o-f Code- 


Scratch through the code in report. php that is causing the alien 
description to come up blank, and then write down how to fix it. 
Hint: Use the HTML form code on the facing page to help isolate the 
problem. 


<html> 


<head> 


<title>Aliens Abducted Me - Report an Abduction</title> 


</head> 


<body> 


<h2>Aliens Abducted Me - Report an Abduction</h2> 


<?php 




$when—it—happened = $_POST['whenithappened']; 
$how—long = $—POST['howlong']; 

^$alien_description = $— POST [ 1 description 
$fang—spotted = $—POST['fangspotted'] 

$email = $—POST['email，]; 


echo 'Thanks for submitting the form.<br />'； 
echo 'You were abducted ' . $when—it—happened; 
echo I and were gone for ' . $how long . '<br />'; 


echo 'Describe them: ' . $alien—description • '<br /> 



echo 'Was Fang there? ' . $fang—spotted • '<br />'; 
echo 'Your email address is ' • $email; 


?> 


</body> 

</html> 



report, php 
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sharpen solution 


Sharpen your pencil 

Solution 


Scratch through the code in report. php that is causing the alien 
description to come up blank, and then write down how to fix it. 
Hint: Use the HTML form code on the facing page to help isolate the 
problem. 



'< 3 ：nput type^text- id-'aUendescr.pt.on 


name: 


'aliendescription^ 


size: 


'32" /> 


T\\t name <Jc -fovm 
-field m vcpo\rt^*t^ljs 
w ali ⑼ des 乙 vif 七 ior/’ ， >n\\\cM 

doesn't 

used m f POST 



l/Ve need "to POST 

s <> "the -fov-rw -field Ktdme 

is CoYYtth 《 aliendes^riptio〆. 


's HDductecf Me^^Repo 




oduction</title> 


<bod y> / reporthtml 

^i2>Aliens Abducted Me - Report an Abduction</h2> 

<?php 

$when_it—happened =^N^OST [ ' whenithappened']; 

$how_long = $_POST['howlonV ]； 

.. l al’ 心 des^rif 七 ior/ 

$alien—description = $ pnom j- , ■, - 一 , 

$fang—spotted = $—POST['fangspotted'] 

$email = $—POST['email,]; 


echo 'Thanks for submitting the form.<br / >'； 
echo 'You were abducted ' . $when—it—happened; 
echo ， and were gone for ' . $how—long • '<br / >'； 
echo 'Describe them: ' . $alien—description • '<br /> 
echo 'Was Fang there? ' . $fang—spotted • '<br / >'； 
echo 'Your email address is ' • $email; 


?> 


</body> 

</html> 



report, php 
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add life to your static pages 



Tqst DriVQ 


Fix the script and test it out. 

Change the broken line of code in report. php, and then upload it 
to your web server. Open the report. html page in your browser, fill 
out the form with alien abduction information, and click the Report 
Abduction button to submit it to the newly repaired script. 


fS C"； AiiNi'S rtlauftaoiTd K* R^pQn aa AMucrinfi 


Aliens Abducted Me ■ Report an Abduction 

SKjjtc your stnry of ilicn aSKluction: 


First aojoci 
1 . jaL na 蕭： 

Whu.4 b i-xiur email addren：? 
TiYbeiB dfcl It 

KtiH bsmivert you ftous? 

Hkm- many did ，bu 狀 ! 

them: 

Wbamdif tiwy 忉 》ywz 

3 ou wtB my d^E F 


一一一 


KJhdfr 

ii jJ Ifl ! 林 n 


llhaun 




liRk iiiinrn mrn 

takei pic UfO 





The doy>*f iVma*tioir> 
fay y>oy/ dovvct*tly 
sV>ov/s *thc -fovm 
daia -fov -the alic^ 

dcsdV*lf*t*lOir>| 




Any thing v\sr ynu wanL 


轉门 - Btpqrt an At^uctKm 

AJiens Abducted Me - Report an Abduction 

You were aMLKwd lasi Xowro6cr and woe： gow tor " 

LNscrite diem: tmte green oitn -- - -- 

Wu^ Fung Itere ? 邱 

Ycillt orujU bs ulfn££ Lhi^y r nsaJ|j^n3cn,jcnm 
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revise owen J s php script 


r^lj^rpei your pencil 


There’s some data entered into Owen’s Report an Abduction 
form that we aren’t currently using. Remember, this data 
contains vital information about an alien abduction that could 
lead Owen back to his lost dog, Fang. So we need to grab all of 
the abduction data and store it away in PHP variables. 


iIIlQ O AJi^n^ Afciitjnrd hf* - 


Rrporr aa Ahcluccinn 


Averts Abducted Me • Report an Abducti 


DO 


w story irfilien jhdiKiiflrK 


TV^c vcfortfiip s^vifb 
^uv-vcr\*tly i^o\rcs -rive 


I tlOJKiO! 

I.iut nairas ： 




扑 bea dkl 

Boh Ifltm vrere 
enunv dir 
Hwcribt! thfm 
Wbai dbtf Uw^ do t* 

Ka^ anui|y 


咖 t? 


■Mg? 


Alf 







LI 卜 •:! vs 


gi^rn rm-n 



<form method= f 
<label for= T 
<input type: 
clabel for =, 
<input type= 
<label for =, 
<input type: 


▼post 1 ， action= f, report .php n > 

! firstname n >First name : </label> 

= ff text n id= ff firstname" name= n firstname" /><br /> 
f lastname n >Last name : </label 〉 

="text n id= f, lastname ff name= n lastname n /><br /> 
， ! email ff >What is your email address?</label> 

… = f! text ff id= f, email" name= f, email" /><br /> 

<label for= n whenithappened n >When did it happen?</label> 

<input type= f! text 11 id= ,! when it happened 11 nani6= 11 when it happened" /> 
<label for= lf howlong ff >How long were you gone?</label> 
cinput type= fT text f! id= fl howlong ff name= n howlong n /><br /> 
clabel for="howmany n >How many did you see?</label> 

<input type= n text" id= f, howmany ff name= lf howmany M /><br /> 

〈label for="aliendescription n >Describe them:</label> 

<input typ6= ff text" id= ,! aliende script ion" nam 6 = n ali 0 nd 6 script ion 
clabel for= n whattheydid ff >What did they do to you?</label> 
cinput type= n text f! id= f, whattheydid n name= M whattheydid f! size 
<label for="fangspotted n >Have you seen my dog Fang?</l^S^l> 

Yes cinput id= n fangspotted" name="fangspotted" type="radi 
No cinput id= n fangspotted n name="fangspotted 11 type= ,f radio 
<img src="fang.jpg" width=" 10 0" height= T, 175 ff 
alt= n My abducted dog Fang. n /><br /> 
clabel for="other">Anything else you want to add?</label> 
ctextarea id= fl other" name="other"></textarea><br /> 

〈input type="submit" value= n Report Abduction" name="submit" /> 
</form> 

</body> 

</html> 


A riythui|E rb* yi 

IfaJucL^an 


waul Ui arlrl? 




size= 


， 32 n /xbr /> 


n 32 n /xbr /> 

value="yes" /> 
lue="no n /Xbr /> 


T\\t <mpu*t> -fov- 

-fovm -field holds 

i\\t key -to 

•form da*ta -f\rom PHP- 



report, html 


Write PHP code to create four new variables that store the missing 
form data: $name, $how_many, $what_they_did, and $other. 
Hint: Create the $name variable so that it stores the user’s full name. 


38 Chapter 1 



































add life to your static pages 


Your work is not quite done. The confirmation web page 
generated by the PHP script needs to use those new variables 
to display more information about the alien abduction. 


Wlc Y\ttd *to -fvom … 



^ ^ AJtPn-c A£mIu 口 


Report an AbducEion 


AJiens Abducted Me - Report an Abduction 

You were aMiKwd Iasi N'm^raDcr and wck. gooc Bar l] tMjura 
Ocsc/lbc Orem: EnU^grren men 
Wm, Funp Ihm? w 

Y«ur emjiU aelitra^ h ulfniS lheyiEilli^MaAim 


XKc user’s y>dirv\C isy> *t £.vrti^3l *to 

七 1 化 torvfivmatio 灼 pay ， 

y/cll r^ccd \i la-tcv- ^tv\ v/c stv\d 

3 r\ abdu 乙七 io 灼 email *to Ov/e 灼 . 



… "to this/ /Votive how w\[aCM 
你0代 ih-povrwa-tioh is displayed. 




n 


Allumi Afticbct#d - Rf pgut Jfli AWucWwa 


Aliens Abducted Me - Report ail AbduclUm 

TtianEs-for submJmffl^ iJk Imtl 

Yau w«c abduwd laa N^tmbw«d were garwrar LI Iwues 

jjyfflUcr of ilkni ： tSawns 

E>cH.-nb»: Qrcra: bilk pw：o mm 

]lrc altnidkllJui: ^tnl ttx, abiMl 1TF : [} iq£ulfliH5fiSi 

Wa.s Fang ihoc? iw 

(>0icr cumnKnC*: Ptuic vefle 6.w me. 

V(wt email aJillM is Blfn«4hcjTraU£rcicnrtnn 



Using all of the variables you just created except $name, 
finish the missing code below that generates a more informed 
confirmation page. 


echo 'Thanks for submitting the form.<br / >'; 
echo 'You were abducted 1 . $when—it—happened; 

echo ' and were gone for ' . $how—long . '<br / >'; 


echo 

'Describe 

them:'. 

$alien 

description . ’ 

1 <br / > *; 

echo 

1 Was Fang 

there?' 

.$fang 

spotted . '<br 

/>▼; 

echo 

'Your email address 

is '. 

$email; 
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owen J s revised php script 

- your pendl 

Solution 


There’s some data entered into Owen’s Report an Abduction 
form that we aren’t currently using. Remember, this data 
contains vital information about an alien abduction that could 
lead Owen back to his lost dog, Fang. So we need to grab all of 
the abduction data and store it away in PHP variables. 




AUpni i^bilua^d tAf- - 


Report aa AMuczltm 


AJjcrts Abducted Me - Report an Abducti 

SKjm 户⑽血口 ofilicajWuctionL 


DO 


TV^c vcfortfiip s^vifb 
^uv-vcr\*tly i^o\rcs -rive 


I tlOJKiO! 

I.iut nairas ： 




Wbea dkl 
Koh lerm i 
Knw rnunv dirt 
f>»cribt! thmi: 

Wbai dbtf U»^ do t* }■( 

Kav$ ysn [j||y jijrfi 


<form method= f 
<label for= T 
<input type: 
clabel for =, 
<input type= 
<label for =, 
<input type: 


/><k 


▼post 1 ， action= f, report .php n > 

! firstname n >First name : </label> 

= ff text n id= ff firstname" name= n firstname" /><br /> 
f lastname n >Last name : </label 〉 

="text n id= f, lastname ff name= n lastname n /><br /> 
， ! email ff >What is your email address?</label> 

… = f! text ff id= f, email" name= f, email" /><br /> 

<label for= n whenithappened n >When did it happen?</label> 

<input type= f! text 11 id= ,! when it happened 11 nani6= 11 when it happened' 
<label for= lf howlong ff >How long were you gone?</label> 
cinput type= fT text f! id= fl howlong ff name= n howlong n /><br /> 
clabel for="howmany n >How many did you see?</label> 

<input type= n text" id= f, howmany ff name= lf howmany M /><br /> 

〈label for="aliendescription n >Describe them:</label> 

<input typ6= ff text" id= ,! aliende script ion" nam 6 = n ali 0 nd 6 script ion 
clabel for= n whattheydid ff >What did they do to you?</label> 
cinput type= n text f! id= f, whattheydid n name= M whattheydid f! size 
<label for="fangspotted n >Have you seen my dog Fang?</l^S^l> 

Yes cinput id= n fangspotted" name="fangspotted" type="radi 
No cinput id= n fangspotted n name="fangspotted 11 type= ,f radio 
<img src="fang.jpg" width=" 10 0" height= T, 175 ff 
alt= n My abducted dog Fang. n /><br /> 
clabel for="other">Anything else you want to add?</label> 
ctextarea id= fl other" name="other"></textarea><br /> 

〈input type="submit" value= n Report Abduction" name="submit" /> 
</form> 

</body> 

</html> 




Alf 





■ c|mc riJ 411 贫 n •《争 m 


LI 卜 •:! vs 


gi^rn rm-n 

i«pui 蕭 | 明 》) 




A ny thing rUr yi 

奴和 rt; WbdmMkii^ 


waul Ui arlrl? 


■ im, 


size: 


， 32 n /xbr /> 


n 32 n /xbr /> 

value="yes" /> 
lue="no n /Xbr /> 


T\\t <mpu-t> -fov- 
-fovm -field \\o\As 
key *bo aaessi^ 
•form da*ta -fvom PHP- 



report, html 


Write PHP code to create four new variables that store the missing 
form data: $name, $how_many, $what_they_did, and $other. 
Hint: Create the $name variable so that it stores the user’s full name. 


"The pev-iod allows you 
"to s*tidk rv\ul'tiplc s*t\rih0s 
of text -togethev as 
OhC - a pvo^css khovm 
3s dohdatchatioh. 


This syatc 

sepavates 

the 

3hd las-t 


— 


friamc ^ ，一女 ”— las*t^cij 


fhov /— 二 f^P OST 

.rr. / 一 

Lihc^r - f POSlTo 仏 c〆]; 
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add life to your static pages 


Your work is not quite done. The confirmation web page 
generated by the PHP script needs to use those new variables 
to display more information about the alien abduction. 


Wlc Y\ttd *to -fvom … 



^ ^ AJtPn-c A£mIu 口 # d 


Report an AbducEion 


… "to this/ /Votive how rhudh 
你。代 ih-Pov-rnatioh is displayed. 


AJiens Abducted Me - Report an Abduction 

You were aMiKwd Iasi N'm^raDcr and wck. gooc Bar l] tMjura 
OcscritR Orem: EnU^grren men 
Wm, Funp Ihm? w 

Y«ur emjiU aelitra^ h ulfniS lheyiEilli^MaAim 




n 


Allumi Afticbct#d - Rf pgut Jfli AWucWwa 


Aliens Abducted Me - Report ail AbduclUm 

TtianEs-for submJmffl^ iJk Imtl 

Yau w«c abduwd laa «d were garwrar LI Iwues 

jjyfflUcr of ilkni ： tSawns 

E>cH.-nb»: Qrcra: bilk pw：o mm 

]lrc altnidkllJui: ^tnl ttx, abiMl 1TF : [} iq£ulfliH5fiSi 

Wa.s Fang ihoc? iw 

(>0icr cumnKnC*: Ptuic vefle 6.w me. 

V(wt email aJillM is Blfn«4hcjTraU£rcicnrtnn 


XKc user’s y>dirv\C ish *t £.vi"t>£-3l "to 
torvfivmatio” 

y/cll r^ccd \i la*tc\r ^tv\ v/c stv\d 

扣 abdu^io^ email *to Ov/cr\. 




Using all of the variables you just created except $name, 

finish the missing code below that generates a more informed fhc <bt /> -taa s ^ c |p 
confirmation page. the \Jo^aL^ 

- (W 七 -Po\rgct -that 

echo ' Thanks for submitting the form. <br / > ' ; wc \rc us'mg PUP "to 

^ ^caic t+TML. 

echo 'You were abducted 1 . $when_it_happened; 

echo ' and were gone for ' . $how—long . '<br / >'; 

cdho 'Numbcy- O^P aliens ： 1 . f ho>W__mo|irky . » />] 二 . 

echo 'Describe them : * . $alien description . * <br / > 


"The tt\\o 乙 omr^hd is 

used "to output the 
additiohal ih-Pov-rna-tioh 
*t° "the b\rowscv- as 一 
WTA1L doh-tcht. 

^a\y\, periods av-c used 

•to o vl 3 s ct\\o 'The aliens did "this ： 1 . fy/ha*t *thcv did • <b\r /> 'j 

av\A variables . ^ . . ’ . . 


echo ' Was Fang t^^ e? ' . $f ang_spotted . ' <br / > 

Cdho \ : f0"tiiC\r ： |<b\r />) 

echo 'Your email address is ' . $emai 1 ; 


you are here ► 
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test drive owen } s php script 




Tesr DriVq 


Tweak Owen’s script and try out the changes. 

Add the code for the new variables to report. php, as well as the 
code that echoes the variables to the browser as formatted HTML. 
Then upload the script to your web server, open the report. html 
page in your browser, and fill out the form with alien abduction 
information. Finally, click the Report Abduction button to submit 
the form and see the results. 



Dumb Questi 


ons 


What actually happens when I concatenate multiple 
strings together using periods? 

譬 

• Concatenation involves sticking more than one string 
together to form a completely new string. The end result of 
concatenating strings is always a single string, no matter how 
many strings you started with. So when you concatenate strings 
as part of an echo command, PHP combines the strings 
together into one first, and then echoes that string to the browser. 


OK, so how exactly does the server turn PHP code 
into HTML and CSS code? 

First off, remember that by default the code in a PHP script 
is assumed to be HTML code. You identify PHP code within a 
script by placing it between <?php and ?> tags. The server 
sees those tags and knows to run the code inside them as PHP, 
and all of the code outside of those tags is passed along to the 
browser as HTML. 


When I concatenate a variable with a string, does the 
variable have to contain text? 

No. Although concatenation always results in a string, 
variables don’t have to contain strings in order for you to 
concatenate them. So say a variable contains a number, PHP 
converts the number to a string first and then concatenates it. 


What happens to PHP code on the browser? 

A- 

Jr \* Nothing. And that’s because PHP code is never seen by 
a browser. PHP code runs on the server and gets turned into 
HTML code that’s sent along to the browser. So the browser is 
completely unaware of PHP’s existence—web pages arrive as 
pure HTML and CSS. 


Right. But that still doesn’t explain how the PHP code 
gets turned into HTML/CSS code. What gives? 

Ah, that’s where the echo command enters the picture. 
You can think of the echo command as outputting information 
beyond the confines of the <?php and ?> tags. So the echo 
command is the key to PHP’s ability to dynamically generate 
HTML/CSS code. By concatenating strings of text with PHP 
variables, you can construct HTML code on-the-fly, and then use 
echo to output it to the browser as part of the resulting web 
page. A good example of this is in Owen's report. php 
script when the <br /> tag is tacked on to the end of a piece 
of text to generate a line break in HTML. 
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add life to your static pages 


The confirmation web page is 
helpful to the user but ifs no 
good to me. I still need the 
form data sent to me in an email. 



o 



The PHP script still needs to email the form data to Owen. 

As it stands, the report. php script is grabbing the data from the Report 
an Abduction form and generating an HTML confirmation page for the user. 
But it’s not yet solving the original problem of emailing a message to Owen 
when the form is submitted. He just wants to receive a simple text email 
message that looks something like this: 


Si mi lav -fco -the 
do^-Piv-rwa-tio^ web page, 
this email 

do^sis-ts o( 匕 
dorwbmcd v/’rth -Pov-rw data. 


Alf Nader was abducted last November and was gone for 11 hours. 

Number of aliens: dozens 

Alien description: little green men 

What they did: asked me about UFO regulations 

Fang spotted: no 

Other comments: Please vote for me. 


This email message can be generated from PHP code by putting together a 
string that combines static text such as "Other comments : n with form 
field data stored in variables. 


Write down how you’d put together an email message string 
from static text and PHP variables. 


you are here ► 
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building the message body in php 


Creating the email message body with PHP 


You’ve already seen how a period can be used in PHP code to concatenate 
multiple strings of text together into a single string. Now you need to 
use concatenation again to build an email message string with variables 
sprinkled in among static text. 

l/a\riablcs av\d s-ta-tid -text av-c 
^ouaitv\aicd ih-to a si^le email 

message stvihg usih^ pev-iods. 


Most 七 wb edi-tov-s will 
aiA-bomatitallY wvaf 
Codt "to *bKc I'mc 
\( you (W 七 fU 七 … youv 
ovm Imc bveak (\rc*buvr\). 


$msg = $name ' . $when—it—happened . ' and was gone for ' . $how—long . '.' . 

'Number of aliens : ' . $how many . 'Alien description : ' . $alien description . 'What they did:' 




$what they did 

. 1 Fang spotted: 1 . 

$fang spotted 

. 1 Other comments : 1 . 

$other; 



One problem with building such a large string is that it requires a huge line 
of PHP code that’s difficult to read and understand. You can break the 
PHP code across multiple lines to make it easier to follow. Just make sure to 
separate the code in spots where the spacing doesn’t matter, like between 
two concatenated strings, not in the middle of a string. Then put a 
semicolon at the end of the last line of the code to finish the PHP statement. 


e 此 h vdHable 

holds a stirihg <^f -text 
七 hat was pulled -P\rorw -the 
Rcpoirt Abdu^tioh -Pov-rw. 


$msg 


TKis is vcally jus*t 0於 Imc of 
— toAt divided advoss multiflc Imcs. 


$name 

. 1 was abducted 1 . 

$when it happened 

. 1 and was gone for 1 . 

$how long 


f f 



'Number of aliens : ' . $how_many . 

'Alien description : ' . $alien—description 

▼What they did: ' . $what_they_did 

'Fang spotted : ' . $fang spotted . 

■Other counts: ， • $ otL r ^) 

IA/hch a o( PHP todt is 




The lihe o-f Codt is dav-c*fully 
wtehded by hot b\rcak*mg i-t 
•… 七 he middle Jc a stv-ihft. 


dclibcv*3*tcly extended d^\ross mul'biplc 
Imes, i 仏 dus-tomoi\ry -to the 

Imes 3-Ptc\r the -fiv-st o^c "to help you 
see whuih Imcs "feo^cthcv* \y\ 

youv dode. 


You still iiavc bo -f'misii cr\*tiv-c 
s*b3*tcw'Cr\*b 3 scw\»tolor\. 


A long line oi PHP code can te spanned 
across multiple lines as long as you’re 
careiul about kow you treak up tke code. 
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add life to your static pages 


That PHP code sure is pretty. But 
with no formatting, woiVt the email 
message be all jumbled together? 


O 



Yes. Just because the PHP code is organized nicely 
doesn’t mean its output will automatically look good. 

Organizing PHP code so that you can better understand it is completely 
different than formatting the output of PHP code that users will see. You’ll 
normally use HTML tags to format the output of PHP code since in most 
cases PHP is used to dynamically generate a web page. But not in this case. 

Here we’re generating an email message, which is plain text, not HTML. We 
need to deal with the fact that the message currently looks like this: 


Alf Nader was abducted last November and was gone for 11 hours. 
Number of aliens: dozensAlien description: little green menWhat 
they did: asked me about UFO regulationsFang spotted: noOther 
comments: Please vote for me. 

Oudh/ This is NOT 
what Ov/Ch had ih 


^ihd -fo\r his Abdu^tioh 

Rcpov-t entail messages. 



Dumb Questi 


9ns 


Is there a way to use HTML formatting in emails you send 
from a PHP script? 

There is. But it requires an additional step that involves setting 
the content type header for the message. Headers and content 
types are a bit beyond the scope of this discussion, which is why 
we’re sticking with pure text email messages for Owen’s email 
responses. You'll learn more about headers in Chapter 6, so you’ll 
definitely gain the knowledge to revisit HTML emails later. 



How would you reformat the 
plain text email message so 
that it is easier to read? 


you are here ► 
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formatting text with php 


Evgw plain text can be formatted... a little 


Since Owen’s sending email messages as plain text with no HTML 
formatting, he can’t just stick in <br / > tags to add line breaks where the 
content’s running together. But he can use newline characters, which are 
escaped as \n. So wherever \n appears in the email text, a newline will 
be inserted, causing any content after it to start on the next line. Here’s the 
new email message code with newlines added: 

used "to pladc hewlihe 

tliv-oughout 

the email 


£scape ckaracters 

in PHP start witk 

a Lackslask (\). 


message. 


$msg = $name 


was abducted 


$lyhen—it—happened . ' and was gone for ' 


- - ^1 

.$how long . ▼.\n▼ 


'Number of aliens : ▼ . $how many . '\n ' . 

— 

'Alien description : ' . $alien—description . ' \n ' 

'What they did: 1 . $what_they_did . 1 \n 1 . 

▼Fang spotted : ▼ . $fang—spotted . ' \n ' . 

'Other comments : ' . $other; 


Newlines sound like a 
great idea... too bad 
that code doesn't work. 


^ Nader was abducted lastNovember and was gone for 11 hours, 
lumber of aliens: dozen(\n^lien description: litde green men 
㉟ they did: asked me about UFO regulation|\n)ang spotted: 
no \n(Dther comments: Please vote for me. 


thereiare no ^ 

Dumb Questi9ns 




What exactly is an escape character? 


An escape character is a character that's either difficult to type or 
would otherwise cause confusion in PHP code. You may be familiar with 
escape characters from HTML, where they're coded a little differently, like 
& # 16 9 ; or & copy; for the copyright symbol. PHP has a very small 
set of escape characters that are helpful for escaping things that might 
be confused with the PHP language itself, such as single quotes (\ '), 
double quotes (\ n ), and of course, newlines (\n). 


TV^C is 

ds 

ms*tcad o-f a ir\c>wrmc 
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add life to your static pages 


Newlines need double-quoted strings 


The problem with Owen’s code is that PHP handles strings differently 
depending on whether they’re enclosed by single or double quotes. More 
specifically, newline characters (\n) can only be escaped in double-quoted 
strings. So the Abduction Report email message must be constructed using 
double-quoted strings in order for the newlines to work. 


But there’s more to the single vs. double quote story than that. Single-quoted 


strings are considered raw text, whereas PHP processes double-quoted 
strings looking for variables. When a variable is encountered within a 
double-quoted string, PHP inserts its value into the string as if the strings 
had been concatenated. So not only is a double-quoted string necessary to 
make the newlines work in the email message, but it also allows us to simplify 
the code by sticking the variables directly in the string. 


Coy\^a*tcir\atioir\ is y\o lo^JCV* 
s"mtc variables 

be diV'C^'tly >wrtWur\ 

a double-quoted s-tvmj* 



$msg = "$name was abducted $when 一 it—happened and was gone for $how—long•\n n 
"Number of aliens : $how_many\n". 


"Alien description : $alien_description\n M . 
"What they did : $what_they_did\n M 
"Fang spotted: $fang_spotted\n". 



/VcwlihC av-c how 

i^-tc\rp\rc-tcd p\ropcv-ly -thanks 
"to the double-quoted stv-ihg. 



"Other comments : $other"; 

v\o d r>cv/lmc a*t 

七 he vevy tv\A s'mtc *tiVis is 
las*t O-f 


there jetre no ^ 

Dumb Questi9ns 


Bu*t yjc still y\tt& *to bveak 
-tKc message m*to rwultiflc 
to^da*tc^atcd s-tv-'m^s so 
todts casicv- *to v-cad 

d 己 VOSS multiple ll^CS. 


If double-quoted strings are so cool, why have we used 
mostly single-quoted strings up until now? 

Well, keep in mind that single-quoted strings are not 
processed by PHP in any way, which makes them ideal for strings 
that are pure text with no embedded variables. So well continue 
to use single-quoted strings throughout the book unless there is a 
compelling reason to use a double-quoted string instead. The most 
important thing about using single vs. double quotes around strings is 
to try and be as consistent as possible. 

What happens if I need to use a single quote (apostrophe) 
within a single-quoted string, as in 'He's lost! ' ? 


This is where escape characters come in handy. To use a 
single quote inside of a single-quoted string, just escape it as \ ', 
like this: ' He\ ' s lost ! '. The same applies to a double quote 
inside of a double-quoted string—use \ n . You don’t have to escape 
quotes when they don’t conflict, such as a single quote inside of a 
double-quoted string: "He ' s lost ! 

So single-quoted strings support \ ' but not \n. How do I 
know what escape characters I can use within single quotes? 

Single-quoted strings only allow the \ ' and \\ escape 
characters—all other escape characters can only be used in double- 
quoted strings. 


you are here ► 
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assemble owen^ email 


Assemble an email message for Owen 

With the body of the email message generated as a string, you can move on 
to assembling the rest of Owen’s email. An email message is more than just a 
message body — there are several different parts. Although some are optional, 
the following pieces of information are used in pretty much all emails: 


❺ 

❺ 

O 


a, , , , you wa^t cav\ 

Th 咖 Hll 

a ^ appear as the of The 

The message subject.〆 心 ㈤ iU 〜如一 ^ e „ ai | address 

The sender’s email address (who the message is FROM). 

The recipient’s email address (who the message is TO)_ 


c>dd\rcss 


This is the kind of email message Owen hopes to receive upon someone 



submitting an alien abduction report. 


is is -the usevs 
3 il address, wkidh 
:ady sieved away ih 
femail variable. 


is 


This 63 y) be 3 

static stv-ihg. 


Tins is OvjC^s email 
addvess, ^i\\\cM dav> also 
be a s*tatid 士 ㈣. 


O Aliens Ab 々 r ted Me - Abduct on Report- 

1 了 0: 13HII 

卿 ade ⑽ abdudedlasl Member and was gone lor 1 1 hours. 

Please voie tor f(i&. 


M v/c ^l\re^dy dohstv-ud-ted ^ 
stirihg -fo\r the email body, whidh 
IS ih the frusg v^Hdble. 


This sample email message reveals that most of the content is in the body of 
a message, which you’ve already finished. All that’s left is coming up with a 
message subject, “from” and “to” email addresses... and of course, somehow 
using PHP to actually send the message! 
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add life to your static pages 


Variables store the email pieces and parts 


We already have the message body stored in $msg, but we’re still missing 
the message subject and “from” and “to” email addresses. The subject and 
the “to” email address can just be set as static text in new variables, while the 
“from” email address is already stored away in the $ email variable thanks to 
the form-handling code we wrote earlier in the chapter. 



$ email 


$_POST[ 


email'] 


'owenQaliensabductedme.com 


$to 


v 、 

^ . October 1, £000 PM C^J _ _ - 

卿 adef was abducledlasl 齡 mber and «_卿 tor 11 hours. 

====: PI 邮 e ， 



$ mS g = M $name was abducted $when_it_happened and was gone 
M Number of aliens : $how_many\n M • 

M Alien description : $alien_description\n M • 

▼▼What they did: $what_they_did\n M • 

▼▼Fang spotted: $fang_spotted\n M • 


\ _ 

for $how long.\n M • 


"Other comments : $other M ; 



All the era'll 

ih-fo\rr»»a'tioh ， s 
gathc\rcd a^d 
^rcady io go/ 


0 



ect, 


o Tne^enuer's cnr:a:! add! 


4lie 却 Ss FRGIV! 


0 


you are here ► 


49 

























send the email with php 


Sending an email message with PHP 


So you’re ready to write the PHP code to actually send the email 
message to Owen. This requires PHP’s built-in mail () function, 
which sends a message based on information you provide it. 

TKc subject 

end'll addv-css 一 mcssa 3 c 

mail($to, $subject, $msg); 

The body 
' "the 


Tke PHP mailO 

lunction sends an 


email message Irom 
witkin a script. 


These three pieces of information are required by the mail () function, 
so you always need to provide them. The “from” email address isn’t 
required but it’s still a good idea to include it. To specify the “from” field 
when calling the mail () function, an additional function argument’s 
required, along with some string concatenation. 


T\\t 七 wb Tv-om^ rnus*b be 
pvcpcir\dicdi bo *tV^c email 
dddv*ess 七 

address *bV^c email se^dejr 


mail($to, $subject, $msg, 1 From : 


$email) 



owen@ 3.1 isnsabd-uctedins 




Aliens Abducted Me - Abduction Report 1 


$msg = "$name was abducted ?when~it_happened and was gone 
"Number of aliens : $how_many\n f, • 

"Alien description : $alien_description\n n . 

"What they did : $what_they_did\n n • 

"Fang spotted: $fang_spotted\n’’ • 

"Other comments : $other"; 


'$how long.\n" 


message is provided 

md'ilO Wr\cA ： \o^ by 

a variable. 


m 



Tint’s \rigli-t, two escape 
^ha\radtc\rs ba^k--to-ba^k^ 


fcHods hahdy yet aga 

wi 七 li 0^CY\ s Cnrtdij 3ddv*css. 


tfiereiare no o 

Dumb Questions 

Is there anything else that can be 
specified as part of an email message in 
addition to the “from” email address? 

Yes. You can also specify “copy” and 
“blind copy” recipients in the same way as the 
“from” recipient—just use ’ Cc : ’ or ▼ Bcc : 
instead of ' From ■ If you want to specify 
both a “from” and a “copy” recipient, you must 
separate them with a carriage-return newline 
character combination (\r\n), like this: 


’From: 


$f rom 


\r\nCc 


$cc 


Wlc have *bo use double quotes 
hc\rc s\Y\tc wcVc usrng \v- 
a^d escape ^hav-ad-tev-s. 
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add life to your static pages 


So how do we 
actually use the 
mailQ function? 



WTML web 
fage oh the -Ply that 

匕 ojvpi\rms -the su^^css-ful 

-Po\rrw submission. 


Just add the code that calls mail () to your script. 

The line of code that calls the mail () function is all you need to send the 
email message. Make sure this code appears in the script after the code that 
creates the email variables, and you’re good to go. Here’s the complete code 
for Owen’s report. php script, including the call to the mail () function. 


<html> 

<head> 

K/headf ^ 1 " 113 AbdUCted Me - an Abduction</title> 

<body> 

<h2>Aliens Abducted Me - Report an Abduction</h2> 

<?php 

= $ POST['firstname-] . ' ' . $_POST [ ' las'tname'] 
^rhen—it—happened = $_POST['whenithappened ']； 

$how—long = $_POST['howlong ']； 

$how_many = $_POST['howmany ']； 

$alien_description = $_POST['aliendescription']• 

$what—they—did = $_POST['whattheydid ']； 

$fang—spotted = $_POST['fangspotted']/' 

$email = $__POST [ f email f ]； 

$other = $_POST[ ， other，]; 


^vab all -fovm da*ta 
-fvom f^POST 
avvay s*titk i*t m 
mdividudl variables. 


Alakc Su\rC "{jo 
■this c^ail addv-css -to 
you\T oy/h "to test out 
the sdv-ipt. 


$to = 'owen@aliensabductedme.com ，， 

$subject 'Aliens Abducted Me - Abduction Report' - 

haPPened 耐刪叫阳恤 ^^ lo n g .Xn 

"Alien description: $ali en —description\n” 

"What they did: $what_they did\n 
"Fang spotted: $fang—spotted\n” • 

『 ’ ▼nt~hQT .c ； > .^n-h^o r n . 

^ail ($to, $subject, $msg, ' From : ' . $emaiT^ > 

I Thanks for submitting the form.<br />'； 

,’You were abducted ' . $when_it_happened; 

and were gone for ' . $how—long _ '<br 

Number of aliens: ' . $how_many . '<br /> 

'Describe them: ' • $alien—description _ 

’The aliens did this: ' . “hat—they did 
’Was Fang there? ' . $fang—spotted •—'<br /> 

’Other comments: 1 • $other • ，<br />'； 

'Your email address is ， • $email ； 


/> 


Assemble the 

pieces 

the email message 
bo be sc^*t *bo Ov/c^. 


<br 


?> 

</body> 

</html> 


report, php 
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the final test drive 




Tesr DriVq 


Finish up Owen’s script and then try it out. 

Add the three new email variables ($to, $sub j ect, and $msg) to the 
report. php script, as well as the call to the mail () function. Make 
sure the $to variable is set to your email address, not Owen’s! Upload 
the script to your web server, open it in your browser, and fill out the 
form with alien abduction information. Click the Report Abduction 
button to submit the form. Wait a few seconds and then go check your 
email Inbox for the message. 






Akines AWudwi Mu ‘ »n AbJw:iiwn 


； 

FMe 
I jni mw. 

VfctaMdpdMijpftm? 

Ik'— vrrc y ■■ K®* 1, - 

I low nuK| iU yflP 


if 



Jhi •酗 H mJtf wnA*n 

[lJrirnn M * ,M 




^■44^* 


UCiCTbf LfeKI ： - r j r ■’ 

wm\ ild » 

Hltc wu wn 丫口 ■ Si: w 




Alims AbdBcl^Mc. 抓 AMudU m 

O^rOTTjTKEU ,； H*»* 峨 fa 呼 ■ 

Vcw 两 * J 




The -Pov-rh daia 
is suddcss-Pully 
*Po\rr^tted dhd scht 
as ah cr^ail 



:. 


( « *«S**ne* 


I i» 




TV^c dy 灼 aw^ally 

y^cv-ated 

dor\*f*iV-matior\ fSJC 
still Cov\(\rrixs -bv^c 
-fov-m submission. 




rii 



You may need to configure PHP on 
your web server so it knows how 
to send email. 

If the mail () function doesn’t work for you, 
the problem may be that email support isn’t 
properly configured for your PHP installation. Check out 
www. php. net/mail for details on how to configure 
email features on your web server. 
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Sally, 
v-ctcr\*tly 
abduced 
by aliens. 


add life to your static pages 


Owen starts getting emails 

Owen is thrilled that he’s reliably receiving alien abduction information from 
a web form directly to his email Inbox. Now he doesn’t have to worry if he 
hears that someone saw his dog because he’ll have email addresses from 
everyone who contacts him. And even better, he’ll be able to look through the 
responses at his leisure. 


Sally suWrb 

{Mt -fov- 


TJje a^tioh attvibu-tc 
°** "the <-PoV-m> bg 
^USCS -the irepoviphp 
-to yv'otcss -the 

Wm daia. 




TKc PttP scr'y^i 

yy\cva*tcs a 

iv*w»a*tioh HTML 
阿 . 



■gggi, 一 U 




The PUP a | so 
y^aics ah email 
ahd ihch 
SChds ^ io Owch. 


0^CY\ IS OY\t , 

taw'fcv- y\o^i 七 ha 七 he s 
VC^cWm^ dliC)r\ abdu^*tio\r\ 
emails tWo— Wis -fovm. 
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email overload 


Owew starts losmg emails 

The good news is that Owen’s getting emails now. The bad news is that he’s 
getting lots and lots of emails. So many that he’s having difficulty keeping 
track of them. His Inbox is packed, and he’s already accidentally deleted 
some... Owen needs a better way to store the alien abduction data. 




























add life to your static pages 


4 




+ 




Got aliens on the brain? Shake them loose by matching each HTML 
and PHP component to what you think it does. 


HTML 

TBT 

Web form 

browser 
<?pKp ?> 

VciTicible 


A software application for viewing and interacting with web 
pages that acts as the client side of web communications. 

A PHP command that is used to output content, such as 
pure text or HTML code. 

These tags are used to enclose PHP code so that the web 
server knows to process it and run it. 

A built-in PHP array that stores data that has been 
submitted using the “post” method. 

A programming language used to create scripts that run 
on a web server. 

All strings must be enclosed within these. 


quotes 


echo 


本一 POST 


Web serVer 


way 


superglobcll 




A software application for delivering web pages that 
acts as the server side of web communications. 

A markup language used to describe the structure of 
web page content that is viewed in a web browser. 

A name used to describe built-in PHP variables 
that are accessible to all scripts. 

A series of input fields on a web page that is used to 
get information from users. 

A built-in PHP function that sends an email message. 

A storage location in a PHP script that has its own 
unique name and data type. 

A type of PHP data storage that allows you to store 
multiple pieces of information in a single place. 
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who does what solution 






HTML 




Web form 


browser 


< 


?pKp ?> 


VciTicible 


quotes 


echo 


本一 POST 


Web serVer 


way 


superglobcll 




Got aliens on the brain? Shake them loose by matching each HTML 
and PHP component to what you think it does. 


A software application for viewing and interacting with web 
pages that acts as the client side of web communications. 

A PHP command that is used to output content, such as 
pure text or HTML code. 

These tags are used to enclose PHP code so that the web 
server knows to process it and run it. 

A built-in PHP array that stores data that has been 
submitted using the “post” method. 

A programming language used to create scripts that run 
on a web server. 

All strings must be enclosed within these. 


A software application for delivering web pages that 
acts as the server side of web communications. 

A markup language used to describe the structure of 
web page content that is viewed in a web browser. 

A name used to describe built-in PHP variables 
that are accessible to all scripts. 

A series of input fields on a web page that is used to 
get information from users. 

A built-in PHP function that sends an email message. 


A storage location in a PHP script that has its own 
unique name and data type. 

A type of PHP data storage that allows you to store 
multiple pieces of information in a single place. 
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add life to your static pages 



Your PHP 备 MySQL Toolbox 

In Chapter 1, you learned how to 
harness PHP to bring life to Owen’s 
web form. Look at everything you’ve 
learned already... 


PHP 

A scvvcv-sidc 

*b^a*b lc*b you v/cb 

Co^itni i\\t scvvcv bcW d 
is dclWcvcd *to *b^c dierrt 
bvov/scv. 

PHP sdvi^-t 

A it%i -Pile Co^ia\^ PttP 

code {jo ^avvy ou-b -tasks a 
y/cb sevvev. 


<?php ?> 


vav-i3klc 

/\ storage do^-tamcv- -fo\r d 0 设 

of data, h PHP, variables must 
start a dollav* s*i^, like 七 Wis. 

/\/av"iablur>ame. 

$__POST 

A s^ 6 al variable *tV>a*t Kolds 心作 

data- 

echo 


These *t^gs must suvrouhd all PHP 
^odc ih youv PHP Wip^s. 


mail () 




lis 


My£6^L 

afpli^atioh that lets you s-tov-c 
data ih databases av\d -tables a^d 
ihSCV-t ahd v-ct\ricvc ih-fo\rmatiOh 

us'mg the S 夕 L lahguage. 

緣 

A ^ucv-y Uhjuajc -fov- 
ihtcv-adtmj v/i*th dd'tdbase 
外 plida 七 ions like MyS 夕 L. 


The PfiP -Puhdtioh -Pov- s^hdih^ 
ah ⑽,七 takes the cv^a\\ 
subject, email body text, ahd 
■the dcs-tihatioh cr»»ail dddv-ess as 
pavametevs (you Qh optiohally 

spcdi-py a F\ror»» address -fcoo). 


GCho r Hello World 



array 

A data s-tvudiuv-c -that s-fcoves a se 七 
values, value has mdc 乂 

*tha*t you t^y\ use *to addess i-t. 

estate tKarattev- 

Used *to v-c\>v-cscir\-t dhavadiev-s *m 
PHP code -that av-c di-P-Pidul-t *fco 
•type ov- -that doh-flid*t with 
other toAt } sudh as \h (^cv/l'mcs). 



H 

w 
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2 C9imect!ng 按 MySQL 


參 




How it fits together ♦ 





We have to plug in 
the interweb before 
we can connect the web 
site configuraturer., 


Im not letting her 
anywhere near my 
web application. 




Knowing how things fit together before you start 

building is a good idea. You’ve created your first PHP script, and it’s 
working well. But getting your form results in an email isn’t good enough anymore. 
You need a way to save the results of your form, so you can keep them as long 
as you need them and retrieve them when you want them. A MySQL database 
can store your data for safe keeping. But you need to hook up your PHP script to 
the MySQL database to make it happen. 


this is a new chapter 
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the pitfalls of emailing form data 


Owen's PHP form works well. Too well 





Ff _. - A^llon 

^ 一 1 de _ 

娜娜 an _ S _ Wl 

柳 at 仇 eV d ， d . , 一 n cornact 


It will take move 

tha 灼 3 Co((ct 

buzz, -fov Owch {jo 
keep up v/iih all 
the alien abdu^biem 

\rcpo\rts 針 iv/’mg m 
his rnbox. 


inbox 


1 n,s l os t dliCh dbdu 匕七 ioi 
VCpo\rt ruChtiohS seeih^ 
do0 … this is ih*fo\n^a"tioi 
0w<!h desperately heeds. 


mCSS3^CS like "this 
sa-fcly s'toved one plade 
he 乙办 si-f-b 七 Wou 价七 (or 
possible si^tmjs. 


This is where a MySQL database can help. 


丄 S 七 rn Use you did^i khow, most people 
fvohouhdc My^L by spcllmg out the - 
last thvee letter as ih ^y-css-^uc-cr ； 


The new report form is great, but 
now rm getting too many emails. I can’t 
drink enough caffeine to go through 
them all when I first receive them. 


Owen’s email script was fine when he was only 
getting a few responses, but now he’s getting 
lots of emails, far more than he can manage. 

He’s accidentally deleted some without reading them. And some 
are getting stuffed in his spam folder, which he never checks. In 
fact, an email he’d be very interested in seeing is hidden away in 
his spam folder right this moment... Owen needs a way to store 
all the messages so he can look at them when he has time and 
easily find ones related to Fang. 
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connecting to MySQL 


MySQL excels at storing data 


Owen really needs a way to store the alien abduction report data in a safe place 
other than his email Inbox. What he needs is a database, which is kinda 
like a fancy, ultra-organized electronic file cabinet. Since the information in a 
database is extremely organized, you can pull out precisely the information you 
need when you need it. 

Databases are managed by a special program called a database server, in 
our case a MySQL database server. You communicate with a database server 
in a language it can understand, which in our case is SQL A database server 
typically runs alongside a web server on the same server computer, working 
together in concert reading and writing data, and delivering web pages. 


"The ih /VJyS^L 
-Pov- 

没 uevy L^h^ua^e. 

MySQL stores 

data inside ol 
database tables. 




I Database server 


丁 he web scv-vcv- pvodcsscs web 

v*c^ucs-ts, vuhs PUP s^vip-ts, Server computer 
\rctu\r^s HTML 


Client browser 


TVic database server 
reads dy\d data 
-(■yow'/*to 


MySQL databases are organized into tables, which store information as rows 
and columns of related data. Most web applications use one or more tables 
inside a single database, sort of like different file folders within a file cabinet. 


MySQL database 



T\,t datakasc 

ytoved as Ucs o'f 
havd dv-Wc, kw-t \i Aotst\ t 

V^avc *to kc- 



With alien abduction data safely stored in a MySQL database, Owen can analyze 
the reports from everyone who answered “yes” to the Fang question at his 
convenience. He just needs to use a little SQL code to talk to the database server. 


SQL is tke cjuery 

language usect 
to communicate 

witk a MySQL 

ctataliase. 
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mysql can help owen 


Owen needs a MySQL database 


So it’s decided: MySQL databases are good, and Owen needs one to store 
alien abduction data. He can then modify the report. php script to store 
data in the table instead of emailing it to himself. The table will keep the data 
safe and sound as it pours in from abductees, giving Owen time to sift through 
it and isolate potential Fang sightings. But first things first... a database! 

Creating a MySQL database requires a MySQL database server and a special 
software tool. The reason is because, unlike a web server, a database server 
has to be communicated with using SQL commands. 


Ive always heard the tool makes all 
the difference in getting a job done 
right. How do I know what MySQL tool 
to use to create a database and table? 


0 


Creating MySQL 

ctatatases and 
tables requires 
communicatin 片 
witli a MySQL 
ctatatase server. 


tc\rmihal is a 
wihdow provides 
Sddcss S 匕 lih( y/liCV'C 

you Uh S 々 L dor^mdhds. 



MySQi terminal 




-Edit Window Help MustnndFang_ 


Owch heeds a 
AlyS^L -tool {jo 
his hew 
alieh dbdud'tioh 
databasc/tablc. 


mY sql> CREATE TABLE aliens abduction 
first_name varchar (3U), 
last_name varchar (30), 

when~it_happened varchar(3 ) r 

how_Iong varchar (30 )， 
how many varchar (30), nn v 

alGn—description varchar (100), 
what_they_did varchar (100), 
fang^spotted varchar(10), 

other varchar(100), 
email varchar (50) 

Query OK, 0 rows affected (0.14 sec) 


is attually 

m PUP- 


pbpMyAdwm graphical tool 





▽ 々钟/六心 s a ya—i 乙 al 

-bool allows *to 

Cctdht ar\d "balolcs 

a v/ck 


Two popular MySQL tools are the MySQL terminal and phpMyAdmin. 
Both tools let you issue SQL commands to create databases and tables, insert 
data, select data, etc.，but phpMyAdmin goes a step further by also providing 
a point-and-click web-based interface. Some web hosting companies include 
phpMyAdmin as part of their standard MySQL service, while the MySQL 
terminal can be used to access most MySQL installations. 
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connecting to MySQL 



You must have a MySQL database server installed before turning the page. 

It’s impossible to help Owen without one! If you already have a MySQL database server installed 
and working, read on. If not, turn to Appendix ii and follow the instructions for getting it installed. 

If you’re using a web hosting service that offers MySQL, go ahead and ask them to install it. Several 
pieces of information are required to access a MySQL database server. You’ll need them again later, 
so now is a good time to figure out what they are. Check off each one after you write it down. 


My MySQL server location (IP address or hostname) : 
My database user name: 

My database password: 

You heed -fco dhcdk 
all these. 



^ y ou > this book 

^^ ^11 ihio ihe 

hahds, -Peel -Pircc io skip 
this oh C dowh. 


With your MySQL database server information in hand, all that’s left is confirming that the server 
is up and running. Check one of the boxes below to confirm that you can successfully access your 
MySQL server. 


Yo[a oy\ly 

■to tKctk OY\C 
o( 



can successfully access MySQL server using the MySQL terminal. 


can successfully access MySQL server using phpMyAdmin. 


can successfully access MySQL server using . 

|-f you vc *four\d some — ^ 

oi\\t>r MyS^L -tool 
y/orks, y/V-"l*tc i*t dov/r\ \\CYt- 
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creating databases and tables in mysql 


Create a MySQL database and table 


Some MySQL installations already include a database. If yours doesn’t ， 
you’ll need to create one using the CREATE DATABASE SQL command 
in the MySQL terminal. But first you need to open the MySQL terminal 
in a command-line window~just typing mysql will often work. You’ll 
know you’ve successfully entered the terminal when the command 
prompt changes to mysql>. 

To create the new alien abduction database, type 

CREATE DATABASE aliendatabase; like this: 



mysql 〉 CREATE DATABASE aliendatabase 
Query OK, 1 row affected (0.01 sec) 



The scv-vcv usually vcspoy>ds *to lc*t 

you kir\ov/ 3 v/as su£-dcss-(*ul - 


Before you can create the table inside the database, you need to make sure 
you’ve got our new database selected. Enter the command 
USE aliendatabase; 


you use tcv-mmal, 
you must f 认七 a scw>itolor\ 


File Edit Window Help PhoneHome 




mysql> USE aliendatabase 
Database changed 




The SQL code to create a table is a little more involved since it has to spell 
out exactly what kind of data’s being stored. Let’s take a look at the SQL 
command before entering it into the terminal: 



CREATE TABLE aliens—abduction ( 
first—name varchar(30), 
last_name varchar(30), 
when_it—happened varchar(30), 
how—long varchar(30), 
how—many varchar(30), 
alien—description varchar(100) 
what_they_did varchar(100), 
fang_spotted varchar(10), 
other varchar(100), 
email varchar(50) 


TWis is 扣 S 6 ^L 

*b^a*t dv-ca*tcs a *table. 


All tKc othc\r stu-ff is 
** detailed ih-povrw^'tioh 
about what kihds of daia 

乙 be s-toved ih the bble 



/\|| S 公 L domma^ds 
m*to tcv-rnmal 

mus*b end 3 SCmidoloirt. 
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connecting to MySQL 


To actually create the new table, type the big CREATE TABLE command into 
the MySQL terminal. (You can find the code for the command on the web at 
www. headfirst labs • com/books/hfphp.) After successfully entering 
this command, you’ll have a shiny new aliens—abduction table. 


File Edit Window Help PhoneHome 




TV 、饮 y 伙 
vcspor>sc -rvom {\\t 
My£($L scv-vcv lc*U 
you kr>oy/ "table 

y/ds dvcatcd 七 

d^y pvoblcms. 


mysql> CREATE TABLE aliens abduction ( 
first—name varchar(30), 
last—name varchar (30), 
when_it_happened varchar(30), 
how—long varchar(30), 
how—many varchar(30), 
alien—description varchar(100), 
what—they—did varchar(100 ), 
fang—spotted varchar(10), 
other varchar(100), 
email varchar(50) 


Query OK, 0 rows affected (0.14 sec) 


Your MySQL installation may offer the phpMyAdmin web-based tool, 
which lets you access your databases and tables graphically. You can use 
the phpMyAdmin user interface to click your way through the creation of 
a database and table, or enter SQL commands directly just as if you’re in 
the MySQL terminal. Click the SQL tab in phpMyAdmin to access a text 
box that acts like the MySQL terminal. 


DaiB£ia 34 ： 


[aUerKSfllabftH <0 




^ stmmura | JTfSQt | pEnjari | ^ ■BMWh 




first 一 name varchar(30), 

when:it—happened varchar(30), 
how 一 long varchar(30), 
how— many varchar(30), 
aliSn 一 description varchar(100), 
what_they_did varchar(100), 



寸 . fitww [hi：-, quray Nins iignm 


Of 

Location at iha 


Y°^ ^ the 

same dorwrwahds hcv-c 
that you’d Chtcv- ih 
the /VlyS^L -tcv-mihal, 

jus-t dlidk 6\o -to 

execute them. 


A-Ptcv Ch-tcvihg -the 
S 少 L todt, dli^k 
this bu-fc-fcoh -fco 

ihc table. 


So the SQL tab of the phpMyAdmin application provides a way to issue 
SQL commands just as if you were using the MySQL terminal. 
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introducing the INSERT statement 



O 


Ive got a MySQL 
database and table, 
now how do I put 
data into them? 


You use the SQL insert statement to insert 
data into a table. 

The SQL language provides all kinds of cool statements 
for interacting with databases. One of the more commonly 
used statements is INSERT, which does the work of storing 
data in a table. 

Take a look at the statement below to see how the INSERT 
works. Keep in mind that this statement isn’t an actual SQL 
statement, it’s a template of a statement to show you the 
general format of INSERT. 


be— 





T^is pav-t is a list of 
youv database dolu^n 
scfav-a*tcd by dogmas. 


INSERT 


o 



dolumh 

follow, with ho Co^a 
a-Ptcir the last OhC- 




VALUES 


INTO table_name {< 20 1 umn_namel), 

•••. 二 .. . .•• 


❿ 

column name2 


A^othcv- S 6 JL 

keyword, this OhC 

sighal'ma tha-t the 
values \oy the 
乙 olurvms -follow. 



value1 

o 


value2 

❺ 



TKis Y\t%i part is a lis-t o( 
七 he values b> be msc\rtcd> 
scpav-a*tcd by Commas. 


丁 he single Quotes av*c 

^o\r\rc^t. Use therw whchCVCV" 
you'e ihscirtihg -texi eve^ 
a single ^hav-a^tev- 
like U. 


these heed h> be ih -fcKg 
sdrwg o\r 3 e^ 3 s 七 he ^olurwh 


Move <\uo*tcd values 
-follow, v/'rth y\o domma 

*thc las 七 or^c- 


One of the most important things to note in this statement is that 
the values in the second set of parentheses have to be in the same 
order as the database column names. This is how the INSERT 
statement matches values to columns when it inserts the data. 
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connecting to MySQL 


The INSERT statement iw action 

Here’s how an INSERT statement can be used to store alien 
abduction data in Owen’s new aliens abduction table. 



YouV doluwm 3 V"C \ y \ 

七 k sti ?avc^cscs 

and aw\dcd W tommas’ 



Watch it! 


Order matters! 

The values to be 
inserted must be listed in 

exactly the same order 
as the column names. 



This is "the hdme o-p the 
table -the daia is beihg 
i^sc\rtcd \Y\io, h/OT the 
y)3rtne o( the da-tabase. 

o ^ © 

INSERT INTO aliens 一 abduction (first 一 name, last 一 name, 

o o o o 

when—it happened r how—long, how many, alien 一 description, 

❾ 0 ❾ ❿ 

what they did, fang spotted, other, email) 

■ O ■© o © © 

VALUES ( 1 Sally 1 , ▼Jones 1 , 1 3 days ago▼, 1 1 day 1 , ▼four 1 r 


o 


❹ 

1 We just talked and played with a dog 1 , 



1 green with six tentacles 1 , 

o o 

1 yes 1 r 1 1 may have seen your dog. Contact me . 1 

’sally@gregs-list.net ▼)5 、 

、 AH o\ these values 

^Ohtaih text, hot 

hur»\bc\rs ; so y/c 

put single Quotes 

a\rouhd eadi ohe. 
so 



The values -fov- ea 匕 h 匕 olu 
ih ihe second sci 
P^irchthcscs av,d al 
divided by Commas. 


Uv>l'»kc PttP staWc 七 

⑽ L Aov\ i 

tYy ^ m d scw'^oloyv >N\\ty\ 

used PttP Code- 


^^rpen your pencil 



TV^csc av-c *tV^c 

toluwm 




The aliens—abduction table is shown below, but it doesn’t 
have any data yet. Write Sally’s alien abduction data into the 
table. It’s OK to write some of the data above the table and use 
arrows if you don’t have room. 


aliens abduction 


first name 

last name 

when it happened 

howjong 

how many 

alien description 

what they did 

fang spotted 

other 

email 
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solutions and no dumb questions 

- ^5^rpen your pencil 

Solution 


The aliens_abduction table is shown below, but it doesn’t 
have any data yet. Write Sally’s alien abduction data into the 
table. It’s OK to write some of the data above the table and use 
arrows if you don’t have room. 


yrtty\ Wrt “以 


jus 七 talked and 

played wi-th a doj.'N I may Kavc youv 

do^> Coirrtad 七 w'C- 


ally@gircgs-lis-t.hct 


aliens abduction 


first name 

last name 

when it happened 

howjong 

how many 

al^n description 

they did 

fang spotted 

oth 

er 

email 

Sally 

Joi^cs 

i days a(\o 

1 day 

-fouv 

N 


— H — 





thereiare no o 

Dumb Questions 


I’m not sure I understand the difference between a 
database and a table. Don’t they both just store data? 

Yes. Tables serve as a way to divide up the data in a 
database into related groups so that you don’t just have one 
huge mass of data. It's sort of like the difference between 
throwing a bunch of shoes into a huge box, as opposed to 
first placing each pair in a smaller box—the big box is the 
database, the smaller shoeboxes are the tables. So data is 
stored in tables, and tables are stored in databases. 

What exactly is the MySQL terminal? How do I find 
it on my computer? 

The MySQL terminal is a technique for accessing a 
MySQL database server through a command-line interface. 

In many cases the MySQL terminal is not a unique program, 
but instead a connection you establish using the command 
line from a “generic” terminal program, such as the terminal 
application in Mac OS X. How you access the MySQL terminal 
varies widely depending on what operating system you are 
using and whether the MySQL server is local or remote 
(located somewhere other than your computer). Appendix ii 
has more details about how to go about accessing the MySQL 
terminal. 


What about phpMyAdmin? Where can I find that? 

Unlike the MySQL terminal, phpMyAdmin is a web- 
based application that allows access to a MySQL database. It 
is actually a PHP application, which is why you always access 
it from a web server, as opposed to installing it as a local client 
application. Many web hosting companies offer phpMyAdmin 
as part of their standard MySQL hosting plan, so it may 
already be installed for you. If not, you can download and 
install phpMyAdmin yourself. It is available for free download 
from www. phpmyadmin . net. Just remember that 
it must be installed on a web server and configured to have 
access to your MySQL databases, just like any other PHP and 
MySQL application. 

Q/ I have both the MySQL terminal and phpMyAdmin 
available. Which one should I use to access my database? 

It’s totally a personal preference. The upside to 
phpMyAdmin is that you can explore your databases and 
tables visually without having to enter SQL commands. That 
can be very handy once you get comfortable with SQL and 
don’t want to manually enter commands for every little 
thing. However, for now it’s a good idea to focus on really 
understanding how to interact with your MySQL data using 
SQL commands, in which case either tool works just fine. 
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connecting to MySQL 





Tesr DriVq 


Store an alien abduction sighting in your database 
with an SQL INSERT statement. 

Using a MySQL tool such as the MySQL terminal or the SQL tab of 
phpMyAdmin, enter an INSERT statement for an alien abduction. As an 
example, here’s the INSERT statement for Sally Jones’ abduction: 


INSERT INTO aliens—abduction (first—name, last_name, 

when—it_happened, how—long, how—many, alien_description, 
what_they 一 did, fang_spotted, other, email) 

VALUES ('Sally', 'Jones', '3 days ago', '1 day', 'four ', 


green with six tentacles ', 'We just talked and played with a dog *, 

yes' r 'I may have seen your dog. Contact me r 


sally@gregs-list.net') 



mysql> INSERT INTO aliens—abduction (first—name ， last—name 
when it happened, how_long, how—many ， alien—description, 


what_they_did, fang_spotted, other, email) ，， ， 

VALUES ( 1 Sally', ， Jones’, '3 days ago', '1 day’, 丨 four 1 ' ， 

«green with six tentaclesWe just talked and played with a dog’, 
'yes 、 ，I may have seen your dog. Contact me.', 

1 sally@gregs - list.net'); 

Query OK, 1 rows affected (0.0005 sec) 


Excdu-tmg the Ih/SBRT siaie^i 

the /WyS6?L Wmal 代 suits ih 
v*ow o-r d 


3 hCW 


data bemg added 
"to "the dliChS__dbdud'tioh 


The INSERT statement appears to have succeeded. Write down 
^ou think we can confirm that the data was added. 
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introducing the SELECT statement 


Use SELECT to get table data 


Inserting data into a table is handy and all, but it’s hard not to feel a certain 
sense of unease at the fact that you haven’t confirmed that the data actually 
made its way into the table. It’s kind of like depositing money into a savings 
account but never being able to get a balance. The SELECT statement is 
how you “get the balance” of a table in a database. Or more accurately, 
SELECT allows you to request columns of data from a table. 


Folloy/ SELECT V/-.IK a list 
£.olumy>s you d3"tci *fov. 

SELECT columns 



A SELECT always takes 
with \rcspcd -to a tabic, 

⑽七 a dd'teibase ih gchcv*al. 

FROM table name 


l 


a SELECT 


TV FROM favt s 

s*b 3 , tcw'Cy\*b \\o^i SH-L-B-CT kr\ov/s v/iia'b 

•tabic y/e II be sclcttrnj data 


Tke SQL 
SELECT 


The columns supplied to a SELECT statement must be separated by 
commas. Regardless of how many columns a table has, only data in 
the columns specified in SELECT is returned. This SELECT statement 
grabs all of the first and last names of alien abductees from the 
aliens abduction table: 


statement 
retrieves 
columns ol 
data Irom 


OyA^ *tVic data -for *tKcsc 
七 wo toluwms is by 

七 W»s StLtCT 



The SELECT siaie^i 

only \rci\rieves daia 
the dlichs__dbdud'tioh 



a tai>le. 


SELECT first name , last name FROM aliens abduction 


To check an INSERT, you need a quick way to look at all of the data in 
a table, not just a few columns. The SELECT statement offers a shortcut for 
just this thing: 


The as*tcv"»sk> ov w s*tav"> *tclU *tV^c 
SELECT -to data 

•fov* dll £-olumy\S m "table. 



SELECT * FROM aliens abduction 



^ list o-f 匕 olumhs is 

hcdcssavy because ^ 

them all/ w 
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Tesr DriVq 


Make sure the alien abduction INSERT statement 
worked by SELECTing the table data. 

Execute a SELECT query using a MySQL tool to view all of the contents 
of the aliens—abduction table. Make sure the new row of data you 
just inserted appears in the results. 

SELECT * FROM aliens—abduction 


These av-c "the dolunrthS. 



Below »s 

data -fov 

丁 he SELECT ^ucv-y v-cvcals a 
si—c \row o( daia s-fcov-cd ih 
the table- 


How many rows of data does your table have in it? 
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automating SQL commands with PHP 


So you're telling me I have to write an INSERT 
statement every time I want to add a new alien 
abduction report to my database? This MySQL 
stuff suddenly isn't looking so appealing. 


O 

o 


pened （ fi 成 - 細 e, last name , 

dL I - g ， how_many, alien_description, I 

VALUES - g - spotted , other, email) 

VALUES ('Sally', 'Jones'. ' —— ■ - - J 

'green 晒 : u 1 -你 

'yes', ' m y Sq i> INSERT INTO aliens—abduction (first—name, last—name. 


'Sally@g 
Query OK, 



丄， J. M i—I i V -L. 上 》 山 - - - -- - - 

when it happened, how—long' how—many ， alien_description A 
what_they_did A fang—spotted ， other ， email) 

VALUES ( 1 Don 1 f ， Quayle’, ’back in 1991 1 , 1 37 seconds 1 , 

»dunno 1 , 1 they looked like donkeys made out of metal with some 


ion ( first — _ e , las 一， _ 

what—they—did, f, S p ott ^ = alien_description, 

: -es o ^ 

工 was out of 阳 s sn & gas Nation ln the desert', ' yes ' 

g ° 0d 吐― ，，， 

,rows affected (0.0005 sec) 


'Looking lorw^^a 

f belitac@rockin.net 1 )); 
m^rv OK. 1 rows affected (0.0005 sec) 


It’s true, each insertion into a MySQL database 
requires an INSERT statement. 

And this is where communicating with a MySQL database purely 
through SQL commands gets tedious. Sure there are lots of benefits 
gained by storing Owen’s data in a database, as opposed to emails 
in his Inbox, but managing the data manually by issuing SQL 
statements in a MySQL tool is not a workable solution. 





How do you think Owen’s MySQL data 
insertion problem can be solved? 
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connecting to MySQL 


Let PHP handle the tedious SQL stuff 


The solution to Owen’s problem lies not in avoiding SQL but in 
automating SQL with the help of PHP. PHP makes it possible to issue 
SQL statements in script code that runs on the server, so you don’t need 
to use a MySQL tool at all. This means Owen’s HTML form can call 
a PHP script to handle inserting data into the database whenever it’s 
submitted — no emails, no SQL tools, no hassle! 


s 


TViC HTML -fov-m 
扣 email -tKa-t 0 ^ reives 

dr\d w 

•to database 


dmeates art S^L INSERT 
that msevts -the data 
-fv-orw the email m-fco the database- 



wh at-they_did, fang_s P otted, other^ernaxl) _ ，肛，， 

^ ' ' : U，, 3 : Y ;: “ ed and Played w lth a do^, 

seen your dog. Contact me., 
et ')； 

jeted (0.0005 sec) 





reporthtml 


The liTAIL -Povrw dal Is 
a PHP s^\rip-t av\d asks 
it -to add the -Pov-rw 
daia -to -the database. 


Without PHP, a manual SQL INSERT 
statement is required to store each 
alien abduction report in the database. 



With PHP, a PHP script automatically 
handles the INSERT when the form is 
submitted. 


<?php 

die^F ll_C ° nneCt (，data * alien sabductedme .com', 

_ ^ Error connecting to MySQL server.')； 

巧 巧咖恤 出 磁 - 刪 e , last 臟 ㊀ ， 

" - 

"'green with sL tentacle；' : T 、 ' 1 _ ，， '^ur', ■■. 

•'S;/ ㈣ 广 —_ dog^contact 0 !"" ，一 让 “—. 
sally@gregs-list.net 丨 ）”； r • 

$reSUlt = m ysqli_query($dbc, $query) 
or die「Error querying database.，）； 

mysqli—close ($dbc)； 


•Owen，， 'aliensrool', 'aliendatabase') 



The ?W? sdvift dvcaics av> INSERT 
siaitnxtr\i 七 ha 七 *msc\rb *thc -fo\rm daia 

m-bo 七 he database … 灼。 (htt 於 \re^ui\red! 



report, php 


you are here ► 


73 

















how owen’s application can use php and mysql 


?W lets data drive Owgw's web form 

PHP improves Owen’s alien abduction web form by letting a script send the 
form data directly to a database, instead of sending it to Owen’s email 
address and Owen entering it manually. Let’s take a closer look at exactly how 
the application works now that PHP is in the picture. 


❶ 


Sally fills out the alien abduction form 
and presses the Report Abduction 
button to submit it. The information 
gets sent to the report. php script 
on the web server. 


1 ( I get lonely ,) 



reporthtml 


o 


Lots and lots and lots of other people 
continue to submit the form too. 




>wcb fay 乙 alls 

弘外七 cm 
v/eb scv-vc\r y/iicir\cvcv- 
*,Vs submitted by a user. 
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connecting to MySQL 


o 


Owen’s report. php script connects to a 
MySQL database and inserts the information from 
each submission using SQL INSERT statements. 



The \rcpovt.plij> script 

with the 

MyS 没 L scv-vcv- {o *msc\rt data 
•nvto the alichs_oibdu^ioh 
table o( the database. 


report.php 



TV^c alic^s^abduttion table 

s*toVCS dlic^ 3bdu^*bioir\ 
V'C^o^'ts 3s voy/s d3*t3* 


o 


Not only does Owen need a script to put the data in the database, but he 
also needs a script to search and view the data. In fact, this could serve as the 
main page for his web site. The index . php script connects to the database, 
retrieves alien abduction data, and shows it to Owen. 


daldbdse scv-vcv- is ju ： 

3 V"ur\)r\nr\^ oy\ 3 

sevvev* ) usiA^lly 

alo^sidc -tVic v/cb server 





index.php 


The sdv-*if*t \rc*tv-*icvcs da*ta 

-the alicy>s__abdud*tior> *tablc so rt 
be -fov-ma*t*tcd ar>d sho>wr> *bo 


"The S IiChS__abdud-fcioh -table 
selves as a daia so^u 
"the ihdex.php sdv-ip-t. 


❺ 


Owen has the 
power to access 
the data in 
many new ways, 
allowing him to 
really focus on 
finding his lost 
dog, Fang. 
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making a mysql connection 


Cowwcct to your database from PHP 


Before a PHP script can insert or retrieve data from a MySQL database, it 
must connect to the database. Connecting to a MySQL database from PHP 
is similar in many ways to accessing a database from a MySQL tool, and it 
requires the same pieces of information. Remember the three checkboxes you 
filled out earlier in the chapter? Here they are again, along with a new one for 
the name of the database — go ahead and write them down one more time. 


o My MySQL server location (IP address or hostname) 


V^>u\r web host'mg sc\rvi^c ov- webmds-tev 
tell you ihis, o\r i-f youv- web 
sc\rvc\r oihd /WyS^L da-tabdse scv-vcv- 
狀 e \ruhhihg oy \ the same m 沉 hme, you 
C^y\ use "the wov*d w l 。匕 alhos*t w . 



❺ My database user name: 


o My database password: The database 

you dveated cav-licv-, v/KitK is 

My database name: 一 l-f -fov some 

vcdsor> you youv da*b3basc 


o 


The database server host location, username, password, and database name 
are all required in order to establish a connection to a MySQL database from 
a PHP script. Once that connection is made, the script can carry out SQL 
commands just as if you were entering them manually in a MySQL tool. 


YoiAY' oyjv\ -fouv pieces o-f 

乙 da*ta >w»ll be 


somc*tK*mg else ov- deeded *to 
use a daiabase *tKa*t >was alv-cady 
tvca*tcd, use 七 ha 七 ms 七 ead. 



A^y PHP sd\ript -that 
s-to\rcs ov- v-ctv-icvcs data 
a /WyS^L database 
-Pivst establish a 

^OhhC^tioh with the 
database usmg the -fou^ 
ficdcs o-p ih-Po\rrwa-tioh. 




"HiC hdrvtc is 

alichdatabasc a^d is 

hcdcssamy -Pov- a s^v-ip-t 

"to ^ornrhUhi^-tc y/ith 

the da-bbase. 


aliendatabase 



aliens abduction 


index.php 


广 


This is the 
database dhd ~tdblc 
we just ^caied. 


TV^c table nanxe is ali ⑶ s 一 abdu^biew ， 
3r\d does 灼’七 cir\*tcv- pi^tuve urrtil 
s*tav*t issum^ S 6 ^L £.ommar\ds. 


/ou 
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connecting to MySQL 


Iwscrt data with a PHP script 


Issuing a MySQL query from PHP code first requires you to establish a 
connection with the database. Then you build the query as a PHP string. The 
query isn’t actually carried out until you pass along the query string to the 
database server. And finally, when you’re finished querying the database, you 
close the connection. All of these tasks are carried out through PHP script 
code. Here’s an example that inserts a new row of alien abduction data: 


<?php 


*to 
databas 


t. 


should be Your 

W values, ho-t (KttU 


$dbc = mysqli_connect('data.aliensabductedme.com ', 'owen ', 'aliensrool ', 'aliendatabase') 

or die('Error connecting to MySQL server .')； 



▼ ay be able -to use lo^aliiost -fov youv 
database \otahov\ mstcad a domam 


OU rru 


$query 


INSERT INTO aliens abduction (first name, last name , when it happened, how long, 


’ ’how—many, alien 一 description, what_they_did, fang—spotted, other, email) M . 

"VALUES ('Sally', 'Jones ', '3 days ago', '1 day ', 1 four ', 'green with six tentacles ', M 
M 'We just talked and played with a dog ', 'yes', 'I may have seen your dog. Contact me.' 


sally@gregs-list.net ') M ； 



Build the l/VSERT <^ucvy 
as a s-tv-ihg ih PttP todt- 



$result = mysqli—query($dbc, $query) 
or die('Error querying database. 1 ) 


mysqli close($dbc); 


?> 


Issue the l^/SBRT <^ucvy 
。的 the /VJyS^L daiabasc 


TKcsc v-c<\uiv-c 

vouv- >wck scv-vcv- *b V^avc 

PHP vc^rsioh ^.1 ov yea 七吖 . 


Be ycallY ^ 

4-v^c c\u 。 七 CS ad double 

— I 一 

as spates bcW av^d 
quotes! 




What do you think each of these PHP functions is doing in the script? 


mysqli_connect() 
mysqli_query() 
mysqli close () 
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php’s three mysql connection functions 


Use ?W functions to talk to the database 


There are three main PHP functions used to communicate with a 
MySQL database: mysqli_connect () ， mysqli_query () ， and 
mysqli_close () . If you see a pattern it’s no accident 一 all of the 
modern PHP functions that interact with MySQL begin with mysqli 


mysqli connect() 


mysqli query() 



/W oldc^r set PttP 

V. TKc V stands U 

W imfVO\/ed,” 釙 d rr^SO^\_ 

^uho^s arc r^oy/ 


mysqli close () 


Connect to a MySQL database 
using the four pieces of information 
you already learned about. 


Issue a query on a MySQL database, Close a connection with a 
which often involves storing or MySQL database, 

retrieving data from a table. 


Using these three functions typically involves a predictable sequence of steps. 



Connect to a database with the mysqli 一 connect () function. 

Provide the server location, username, and password to get permission to interact with the MySQL database 
server. Also specify the database name since this is a connection to a specific database. 


Hello? Calling 
MySQL server, 
you there? 



❺ Create an SQL query and store it as a string in a PHP variable. 

To communicate with the database server, you have to use SQL commands. For example, an 
INSERT statement is needed to add data to the aliens_abduction table. There’s nothing 
special about the variable name we chose, but a straightforward name like $ query works fine. 


Ive got a big INSERT 
statement to send, and ifs 
stored in a PHP variable. 



[ !query] 


The <\uciry is C\rcaied as 
a s-t\rihg s-tov-cd ih 
f^uevy vav-iablc. 
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connecting to MySQL 


❺ Issue the query with the mysqli 一 query () function. 

Use the $ query variable with the mysqli—query () function to talk to the MySQL database server and 
add data to the aliens—abduction table. You have to tell mysqli—query () both the name of the 
connection you created back in Step 1 and the name of the variable that holds your query from Step 2. 

TVis -Puh^ioh you\r cjucV'V ； 

wkh _S 如 lh/£BRT sta-tc^ch-t -to 

data ih-to -the tabic. 

mysqli 一 query () 


Hey, INSERT this 
stuff in that table 
youve got stored. 



0 




o 


O 



ilSS] 


Success! 



❹ Close the database connection with the mysqli 一 close () function. 

Finally, mysqli—close () tells the MySQL database server that you are finished communicating with it. 


I*m done with 
you. Goodbye. 


mysqli 一 close () 


o 




Sheesh! Not even 
a thank you. 


Tills is o-f youv- 

tormetticm vav-iablc* 


Connection closed. 


|-f Joes >wV*o 灼 % 

*this will bddk d message 
ou by\A s-top 


This is dh I t/£B-RT ^ucv*y 
七 ha 七 ddds dd'te) ijO OUV* dd'tolbdSC. 


<?php 

$dbc = mysqli_connect('data.aliensabductedme.com ', ' owen ', 

or die('Error connecting to MySQL server .')； 


"lensrool ', 'aliendatabase') 


❻ 

$query = ’’INSERT INTO aliens 一 abduction (first 一 name, last—name, when—it—happened, how—long, 
n how—many, alien 一 description, what_they_did, fang—spotted, other, email) M . 

"VALUES ('Sally', 'Jones', '3 days ago', '1 day ', ' four ', 1 green with six tentacles ', M 

M 'We just talked and played with a dog ', 'yes', 'I may have seen your dog. Contact me .', 



sally@ 


gregs-list. 

❺ 


net') 


$result = mysqli—query($dbc, $query) 
or die('Error querying database .')； 


办 七- 

【■mysqli close ($dbc); 


^ys^li^uCV-yO is \\o^n PHP 七 es y/i 七 

七 he MyS^L scv-vcv. T\\c Code s*tovcd m 

vdv-idble is S6^L Code, r\o*t PHP CoAt> 


?> 


Hire’s whc\rc wc dlose 
七 he dohhCd-fcioh. 


Let’s take a closer look at each one of these PHP database 
functions, starting with mysqli_connect ()... 
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using mysqli_connect() 


fret connected with mysqli^cowwGctO 

For our PHP script to be able to create a connection to the database 
with the mysqli_connect () function, you’ll need a few pieces of 
information that you’re starting to get very familiar with. Yes, it’s the 
same information you used earlier when working with the MySQL 
terminal, plus the name of the database. 




Connect with mysqli_connect() 



o Assemble the query string. 


❺ Execute the query with mysqli_query(). 
o Close the connection with mysqli_close(). 


Who? 


Your username and password 

You’ll need your own username and password for your own database server. 
These will either be set up by you or given to you by your web hosting 
company when MySQL is first installed. If you set up your own MySQL, 
follow the instructions to give yourself a secure username and password. 


What? 


The name of your database 

In our example, we’ve named the database aliendatabase. Yours will be 
whatever name you decided to give it when you set it up earlier, or if your web 
hosting company created your database for you, you’ll be using that name. 


Where? 


The location of the database (a domain name, an IP 
address or localhost) 

In our example, we’re using the location of Owen’s (fictional) database. You 
need to use the location of your own MySQL server. Often, this is localhost 
if the database server is on the same machine as your web server. Your web 
hosting company will be able to tell you this. It may also be an IP address or a 
domain name like Owen’s, such as your server • yourisp . com. 


The location, username, password, and name of the MySQL 
database in the mysqli_connect () function must all have 
quotes around them. 




Ksc this v^vidble "to pcv*-Pov*m 

cl^tiohS oy \ the ddiabdse- 

$dbc = mysqli_connect( 

1 data.aliensabductedme.com 1 , 

1 owen 1 , A I I r 

. n n uodatioh o\ 

产 Wsrool 、 the database 

f 1 aliendatabase 1 ); 

P 一 d 、一 P 伽一 e 


The result of calling the function is a database connection and a PHP 
variable that you can use to interact with the database. The variable is 
named $dbc in the example, but you can name it anything you like. 


Tke myscjli—coimectO 
iunction treats tke 
location, username, 
password, anct 
database name as 
strings, so you must 
quote tkem. 
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connecting to MySQL 



rpen your pencil 


Here are some examples of PHP database connection strings. 

Look at each one and then write down whether or not it will work, 
and how to fix it. Also circle any of the code you find problematic. 


$dbc = mysqli_connect( ' data.aliensabductedme.com *, ' owen ', ' aliensrool ', 

' aliendatabase'); 


$dbc = mysqli—connect('data•aliensabductedme•com', 'owen ', ' aliensrool ', 

"aliendatabase") 


$fangisgone = mysqli_connect( ' data.aliensabductedme.com *, 'owen', 'aliensrool ', 
' aliendatabase'); 


$dbc = mysqli_connect('localhost ', ' owen ', ' aliensrool ', ' aliendatabase'); 


$dbc = mysqli—connect('data•aliensabductedme•com▼, * owen ', ' ', ' aliendatabase'); 


$dbc = mysqli_connect( ' data.aliensabductedme.com *, ' owen ', ' aliensrool*); 

mysqli_select_db($dbc, 'aliendatabase'); 
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sharpen solution 



Here are some examples of PHP database connection strings. 

Look at each one and then write down whether or not it will work, 
and how to fix it. Also circle any of the code you find problematic. 


$dbc = mysqli_connect(* data.aliensabductedme.com *, 'owen', 'aliensrool ', 

' aliendatabase'); 

.This y/ill y/o\rk ； . 

Yo[a heed a semi^oloh hev'e -to book, >wcVc usm^ si—e quotes (or PHP sbr\Y\^ 

tc\rrhihatc the PHP s-tatcmcht 3r>d v-cscv-v'm^ double 'u 。 七 es *fo\r S《L ^ucncs. 

$dbc — mysqli_connfet ( * data . aliensabductedme . com' ，- 'owen', 'aliensrool', \ 

n aliendatabase"0 ) J 

This •yi.qd woy*k because its missmj d scmidolo^. The quotes will work jus *)： like •jt^c si^jjc quotes. 


s 


_Ko*t a vevy dcsdviptivc (or 

< _^ d database tov>^cd*tior\. 

$fangisgone^：- mysqli 一 connect('data•aliensabductedme•com', 'owen', 'aliensrool 1 , 

一 , aliendatabase '); 

This y/ill y/oy-k, al-thoujh its ^o*t B V(C\ry Jood ^o\r a database 


$dbc = mysqli connect )calhost 




This assumes -the database scv-vcv- is loda-tcd ov\ 
the same scv-vcv donr»pu*tcv as -the y/eb scv-vcv-. 

owen ' r ' aliensrool 1 , 'aliendatabase'); 


This will y/o\rk, dssumm^ *thc v/cb scv-vcv* BY\d database sc\rvcv 0 的 sa^C 匕 hmc. 


〜empty database passed 

is a ^ood idc3- 



$dbc = mysqli connect(* data.aliensabductedme.com *, * owen 


€ 


aliendatabase'); 


This y/ill wojrk pY\h/ i^f you set a bla^k passy/oyd. (or the database. Not a good idea, *thoujK| 
}/o\a sKoujd always have, a passy/ord. set -foy ； ca^h databeisc ； . 


$dbc = mysqli_connect('data.aliensabductedme.com 1 , 
mysqli—select—db($dbc, 'aliendatabase'); 


Leaving o(( -the -Pou\rth av^umeht 
\r(^ui\r« you mys … i—sekt—dbO 
"to select the database. ^ 

owen ', ' aliensrool*); J 


So\r\ry, -this is d *bridk ^ues*tio 灼 • | 的你 ^||— doirmc 匕七 0, 七 ha 七 *fou\rth o( database ； is 

qftip»}aj : You day) leave.ii out o-f -thea^dl use .^ys^ri^scjcjtt^dbO -bp spc^i-f.y.i：bc of ihc 
da^dbdse ms-tcad ^ So -this ^odc is -jthc same as i-f you had passed all ^ou\r ay-jumc^ts i© ^y^lj^or\/}cM) : 


82 Chapter 2 





























connecting to MySQL 



O 


It seems like it would be easy to screw 
up one of the pieces of information used 
to connect to the database. How do I 
know for sure if the connection worked? 


This is where the PHP die () function comes in handy. 

The PHP die () function terminates a PHP script and provides 
feedback about code that failed. While it won’t reveal precisely what 
went wrong, die () tells us that something’s up and that we need to fix 
it. If something’s wrong with one of the four connection variables for 
mysqli—connect (), or if the database server can’t be located, the 
die () function will stop the rest of the PHP script from running and 
show the error message in parentheses. 


丁 he dicO is dolled i-f 

the ish’t 


$dbc V mysqli_connect('data.aliensabductedme.com', 1 owen 

or die('Error connecting to MySQL server . 1 )； 

This is io the 

web page i<P the 匕 ohh“tioh 


|*f or>C J ouv -fouv s*brnr^s m *tV>C mys'li 一 torme 乙七 () 

-fur>d*tioy> •is / 七 >wc II -feedbadk. 

'aliensrool ', 'aliendatabase') 


s. 



smdc w ov die(...)” is 七 e^mi6ally a 
dor>*tmuatior> 3 s'm^lc ⑼七 . 
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building queries in php 


Okay, so weve got a PHP database 
connection. Now what? Can we just 
start issuing queries as if were 
inside the MySQL terminal? 


0 



Yes! Once you’ve made a database connection 
with mysqli 一 connect () ， you can issue SQL 
queries directly from PHP. 

Nearly everything you can do in the MySQL terminal you can 
do in PHP code with the database connection you’ve now made. 
It’s this connection that establishes a line of communication 
between a PHP script and a MySQL database. For example, 
now that Owen has a connection to his database, he can start 
inserting data into the aliens—abduction table with the 
mysqli—query () function and some SQL query code. 


：-：?： ~ ,e,, 

1 saiiv@g re g s_ ii st • net 1 )’• 、 

Query OK, 1 rows affected (0-0005 sec) 


Rcrwcrwbcv-, ou\r ^oB\ is {o 

au-fcorwatc this It^SBRT 
Very usmg Pl+P code. 



The is passed *to 

^ys<\l\j^cryO as a PHP 


The mysqli—query () function needs an SQL query stored in a PHP 
string ($query) in order to carry out the insertion of alien abduction data. 
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connecting to MySQL 


Puild the INSERT query iw PHP 

SQL queries in PHP are represented as strings, and it’s customary 
to store a query in a string before passing it along to the 
mysqli_query () function. Since SQL queries can be fairly long, 
it’s often necessary to construct a query string from smaller strings 


-0—€ 

(O A 


Connect with mysqfHgonngctQr 


Assemble the query string. 


❺ Execute the query with mysqli_query(). 
o Close the connection with mysqli_close(). 


that span multiple lines of code. Owen’s INSERT query is a good 
example of this: 


$query 



This is a PUP vaviable 七 

Y\OVJ holds tKc INSERT <\uc^ry. 


="INSERT INTO aliens abduction 


(first name. 


The pc\riod tells PUP -to 
tadk this s-t\r*mg ov\io the 
st\r*mg oh the lihC. 

last name. 




when it happened, how long, how many, alien description. 


what they did, fang spotted, other, email) 


VALUES ('Sally', 'Jones', '3 days ago', '1 day', 'four',". 

'green with six tentacles ', 'We just talked and played with a dog ', 

'yes ', 'I may have seen your dog. Contact me.' 

'sally@gregs-list.net') n ; 



SihCc this Chtivc piede 
<^P ^odc is P(+P 
i"t rwust be 'mated 
with a servtidoloh. 


XKc is bvoke 灼 advoss multiple \\y\ts 

-to make <\ucvy move vcadablc - *tKc fcviods 
七 ell PttP bo *tuvv> this *m*to oy\c sbr\v\^ 

With the INSERT query stored in a string, you’re ready to pass it along to 
the mysqli_query () function and actually carry out the insertion. 


thereiare no 。 

Dumb Questl 9 ns 


Why is an INSERT into a 
database called a query? Doesn’t “query” 
mean we’re asking the database for 
something? 

Yes, “query” does mean you’re asking 
for something...you're asking the database 
to do something. In MySQL database 
applications, the word “query” is quite 
general, referring to any SQL command 
you perform on a database, including both 
storing and retrieving data. 


Why isn’t the INSERT statement 
just created as one big string? 

Keep in mind that the INSERT 
statement is stored as one big string, even 
though it is created from multiple smaller 
strings. Ideally, the INSERT statement 
would be coded as a single string. But 
like many SQL statements, the INSERT 
statement is quite long and doesn't fit on 
a “normal” line of code. So it’s easier to 
read the query string if it’s coded as smaller 
strings that are glued together with periods. 


Is it really necessary to list the 
column names when doing an INSERT? 

No. You can leave off the column 
names in the INSERT statement. In which 
case, you must provide values for all of the 
columns in the table in the same order that 
they appear in the table structure. Knowing 
this, it’s generally safer and more convenient 
to specify the column names. 
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the mysqli_query() function 


Query the MySQL database with PHP 

The mysqli_query () function needs two pieces of information to 
carry out a query: a database connection and an SQL query string. 


-Q ~Connect with mysqIi_eenncet ()7 

― Assomblc the query string. 

Execute the query with mysqli_query(JT^ 

o Close the connection with mysqli_close(). 


mysqli 一 query( database_connection 

This is a database -tha^s dkeddy 

cs^blishcd vi^ 灼 . 


query) 



TW»s is i\\t S 公 t '叫 that 

will be … 

we s*toV"cd a s-tv-'mj. 


The database connection required by the mysqli_query () function 
was returned to you by the mysqli_connect () function. Just in case 
that’s a bit fuzzy, here’s the code that established that connection: 

$dbc = mysqli—connect ('data • aliensabductedme • com' , ' owen ', 

C or die ( ' Error connecting to MySQL server.' )； 

一 T\\t *to 

diaiabase v^as s-toved away 
cav*licv* *biic fdbc> va\ri3blc* 



Rcrwcrwbc\r, these ^OhhC^tioh 
variables will be di-P^CV-Cht 
<Po\r you\r database sc-tup. 


aliensrool', 'aliendatabase') 


So you have a database connection ($dbc) and an SQL query ($query). 
All that’s missing is passing them to the mysqli_query () function. 


The 


$result = mysqli query($ 



dbc^ 


$query) 


^uciry 


or die(* Error querying database. *) 


丁 he v-csult o( -the e^uev-y 


TKc database 

torme 乙 *t»o 灼. 


This code shows that calling the mysqli_query () function isn’t just a 
one-way communication. The function talks back to you by returning a 
piece of information that’s stored in the $ result variable. But no actual 
data is returned from the INSERT query — the $ result variable just stores 
whether or not the query issued by mysqli_query () was successful. 


An SQL cjuery 

is a req uest 

written in SQL 

code tkat is 
sent to tke 
database server. 


Tke myscjli—cperyO function reejuires a ctataLase connection 
and a c^uery string in orcter to carry out an SQL cjuery. 
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connecting to MySQL 


Close your connection with 奇 


mysqILcloseO 

Since we’re only interested in executing the single INSERT 
query, the database interaction is over, at least as far as the 
script is concerned. And when you’re done with a database 
connection, you should close it. Database connections will 
close by themselves when the user navigates away from the 
page but, just like closing a door, it’s a good habit to close 
them when you’re finished. The PHP mysqli—close () 
function closes a MySQL database connection. 


0 


€ 


mysqli—close (database_connection ); 


^ TWis *»s y/V^crc you pass 

da*takasc variable 


v/eve us'm^ *to 

database- 


Connect with mysqI LeenncetOr 


- wi 本 h-m y sqU ： ^ t}efy 0 T 


Close the connection with mysglLcloseO?^ 


It’s a good katit 
to close a MySQL 

database connection 
wken you’re 
finisked witk it. 


In the case of Owen’s script, we need to pass 
mysqli_close () the actual database connection, 
which is stored in the $dbc variable. 


mysqli—close($dbc); 


This vav-iablc holds a \rc-Pcv-Chdc io 
the database dohhcdtioh, wkidk was 

Sealed by 啪 y— 一乙。喊 dtO badk 

v/kh the dohhcdtioh was -fiv-st opened- 



But if database 
connections are closed 
automatically, why bother? 



Database servers only have a certain number of 
connections available at a time, so they must be 
preserved whenever possible. 

And when you close one connection, it frees that connection up so 
that a new one can be created. If you are on a shared database, you 
might only have five connections allocated to you, for example. And 
as you create new database-driven applications, you’ll want to keep 
your supply of available connections open as much as you can. 
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no dumb questions and bullet points 


thereiare no ^ 

Dumb Questi9ns 


Q/ Couldn’t you just put all the SQL code directly in the 
mysqli_query () function in place of the $ query 
variable? 

You could, but it gets messy. It’s just a bit easier to manage 
your code when you store your queries in variables, and then use 
those variables in the mysqli query () function. 


Should the code that issues the INSERT query be doing 
anything with the result? 

Perhaps, yes. So far we've been using die () to terminate a 
script and send a message to the browser if something goes wrong. 
Eventually you may want to provide more information to the user 
when a query’s unsuccessful, in which case you can use the result of 
the query to determine the query’s success. 


BULLET POINTS - 

■ Database connections need a location, a username, a 
password, and a database name. 

■ The mysqli_connect () function creates a 
connection between your PHP script and the MySQL 
database server. 

■ The die () function exits the script and returns 
feedback if your connection fails. 

■ Issuing an SQL query from PHP code involves 
assembling the query in a string and then executing it 
with a call to mysqi—query () ■ 

■ Call the mysqli—close ( ) function to close a 
MySQL database connection from PHP when you’re 
finished with it. 
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connecting to MySQL 



Tesr DriVq 


Replace the email code in Owen’s report. php script so that 
it inserts data into the MySQL database, and then try it out. 

Remove the code in the report. php script that emails form data to Owen. In its 
place, enter the code that connects to your MySQL database, builds a SQL query 
as a PHP string, executes the query on the database, and then closes the connection. 



ttcv-c s the hew PHP da-tabase 

Code you vc bcch wo\rkih^ oh. 
Do” 七 Chtcv the <?php ?> 
■tags ih \rcpo\rt.php sihde youVc 
dddih^ this Code "bo d spot 

^ 咖中七 thats already 
inside the tags. 


<T + r :工二 


1 owen ’ 


1 aliensrool 1 , 1 alisndatabase ) 


$querY = " INSE RT INTO aliens—abduction (first_name, last name, • 
Un—it—happened, how—long, how_many, alxen_descr iP txon, • 

， ' W hat 二 they—did, fang—spotted, other, eI ^ ai l - ， four ,, ” ■ 

:: =fn wlth 1 ^^ tlntaclls'! ' ' We Y jus?°t ； l k ed and played with a dog- 
"'yes', 'I may have seen your dog. Contact me., 

» »sally@gregs-list.net ’） n ; 


mysqli_query ($dbc, $query) 
database •’）； 


$result 

or die('Error querying 


mysqli_close($dbc); 


Upload the new report. php file to your web server, and then open the 
report. html page in a browser to access the Report an Abduction form. 
Fill out the form and click Report Abduction to store the data in the database. 
Now fire up your MySQL tool and perform a SELECT query to view any 
changes in the database. 


mysql 〉 SELECT * FROM aliens_abduction; 

+ - + - +— 

I first—name | last name | v 

+ - r + r —— 

I Sally I Jones I 2 


I Sally 
+- 


I Jones 

— I - 




t—happened 

1 

how long 

-+• 

1 

how many 

ago 

1 

1 day 

-+■ 

1 

four 

ago 

1 

1 day 

1 

four 


■+- 





- - - 

I alien_description | 

- - - 

I green with six tentacles | 

I green with six tentacles | 
—- -- 


2 rows in set (0.0005 sec) 


Is this correct? Write down if you think this is what the script 
should be doing, and why. 
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use $_POST in the INSERT query 



Hang on a second. Isn’t the whole point here to 
take data from a form and store it in a database? 

It looks like the querys inserting the same data no 
matter what gets entered into the form. I don’t see 
how this PHP script automates anything. 


This is a big problem. The insert query needs to be 
inserting the form data, not static strings. 

The query we’ve built consists of hard coded strings, as opposed to being 
driven from text data that was entered into the alien abduction form. In order 
for the script to work with the form, we need to feed the data from the form 
fields into the query string. 


i ikcm gUdhsl 




I jquery \ 


mysqli—query () 


^ TV)ts -fov-w d3*t3 ^ 
-to wake vb … ay ^ 



The dlich dbdu^ioh 
*Poirm i s whcv-c the 
usev’s lrcpov-t daia 
Comes -fv-om. 





What PHP code can help us get the values 
from Owen’s form into the insert query? 
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connecting to MySQL 


LPOST provides the form data 

The good news is that the report. php script already has the form 
data stored away in variables thanks to the $_POST superglobal. 
Remember this PHP code? 


$name = $ POST[* firstname *] . ' ' . $ POST['lastname']; 


$when_it 一 happened = $_POST['whenithappened 1 ]; 

$how_long = $_POST['howlong']; ^ - 

$how_many = $_POST[ 1 howmany']; 

$alien—description = $_POST['aliendescription *]; 


The f 一 POST supcv-globals already 
仪 d "to cxtirad-t the data 

•(V 。你 cadh 0 \ncy\s -fov-rn -fields 

s-to\rc it ih vaHdbles. 


$what_they_did = $_POST[ 1 whattheydid']; 
$fang_spotted = $_POST['fangspotted']; 
$email = $_POST['email 1 ]; 


V. Rcmcmbcv-, you 

use -fov f 一 POST r>ccds *to 

up o( 

dr\ ttTML -fovrirt -f ield- 


$other = $_POST[* other']; 


So you already have the form data in hand, you just need to incorporate 
it into the alien abduction INSERT statement. But you need to make a 
small change first. Now that you’re no longer emailing the form data, you 
don’t need the $name variable. You do still need the first and last name 
of the user so that they can be added to the database — but you need the 
names in separate variables. 

"Hie uscir s hdme is how s*fcov~cd ih 
separate vav-iablcs so that it 

$last_name = $_POST [ ' lastname ' ] ; —- tc ihsc\rtcd ih-fco distiwt Coluwms 

"the dlichs__dbdu^tioh 


$first_name = $_POST['firstname *]; — 



E%eRci$e 


Write the PHP code to create Owen’s insert query string that is stored in the $ query 
variable, making sure that it stores actual form data in the aliens—abduction table upon 
being executed. 
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single and double quotes in php 


Write the PHP code to create Owen’s insert query string that is stored in the $ query 
variable, making sure that it stores actual form data in the aliens—abduction table upon 
being executed. 

丁 Column 

*m i\\t S 公 L 

c%a^*tly as -tVicy d\d bc-fov-c. 

f^ucv-y — ^INSERT INTO aliens 一 al>dud*ticm las*t__^amc, v/hcn 」 七一 how 一 I05 w 




{i hov/^n\ 3 ny, ali ⑼一 desd\rip*ticm, 一 did, -fa^g^spo-t-tcd, o*t^c\r, email) w . 

1 VALUES Cf^irsi_jr\Sn\C) { fhsijr\Sn\C, 1 fv/hc^__i*t_happc^cdl ， ； 一 loir^ { fhov/^_n\Sr\y 

i 0 f 3 licr\^dcs£.ri^iior\ ， , i fy/ha*t__*tiicy__did^ ^foihe^f 'fcmailO ^； 


l^siead <^P s-btid daia about 
Sally OohCS abdud*t._oh, how y/C 
•ms 饮 i whalcvc\r data the us 饮 
Chtc\rcd ih-to the -Pov-rw. 




\\^ ovdev* *t-V^c v3v*i3blcs must 
*biic ov-dev- o-f i\\t 匕 oluwm 

r^ames (or -tile data -to shoved 
m *t^c Corrtci £.olumr\s of *tiic "table- 


tJiereiare no 。 

Dumb Questi9ns 


Do I have to create all those variables to store the 
$_P0ST data? Can’t I just reference the $_P0ST data directly 
into the $ query string? 

Yes, you can. There’s nothing stopping you from putting 
$—POST directly in a query. However, it's a good coding habit to 
isolate form data before doing anything with it. This is because it’s 
fairly common to process form data to some degree before inserting 
it into a database. For example, there are clever ways for hackers to 
try and hijack your queries by entering dangerous form data. You’ll 
learn how to thwart such attempts in Chapter 6. To keep things 
simple, this chapter doesn’t do any processing on form data, but that 
doesn't mean you shouldn’t go ahead and get in the habit of storing 
form data in your own variables first before sticking it in a query. 

OK, so does it matter where you use single quotes versus 
double quotes? Can I use single quotes around the whole query 
and double quotes around each variable? 


Yes, it matters. And no, you can’t use single quotes around the 
whole query with double quotes around the variables. The reason 
is because PHP treats strings differently depending on whether 
they appear inside single quotes or double quotes. The difference 
between the two is that single quotes represent exactly the text 
contained within them, while some additional processing takes place 
on the text within double quotes. This processing results in a variable 
inside of double quotes getting processed and its value placed in the 
string in lieu of the variable name. This is quite handy, and is why 
double quotes are generally preferred for building SQL query strings. 

Couldn’t you just build query strings by concatenating the 
variables with the SQL code? 

Yes, and if you went the concatenation route, you could 
certainly use single quotes instead of double quotes. But query 
strings tend to be messy as it is, so anything you can do to make 
them more readable is a good thing—embedding variables directly 
in a double-quoted string instead of concatenating them with single 
quotes definitely makes query strings easier to understand. 
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connecting to MySQL 



E%eftci$e 


Let’s use everything we’ve learned to finish Owen’s form-handling PHP script so that it can 
successfully store alien abduction data in a database. Finish the PHP code below to complete 
the report. php script. 


<?php 


$when it_happened = $—POST['whenithappened']; 
$how_long = $_POST['howlong']; 

$how_many = $—POST['howmany']; 

$alien 一 description = $_POST['aliendescription']; 
$what_they_did = $_POST['whattheydid']; 

$fang 一 spotted = $_POST['fangspotted']; 

$email = $—POST['email 1 ]; 

$other = $ POST['other']; 


$dbc = 


$query = ’’INSERT INTO aliens—abduction (first—name, last_name, when—it 一 happened, how 一 long, 
’'how 一 many, alien 一 description, what_they_did, f ang_spotted, other, email) M . 

"VALUES ('$first 一 name 1 , '$last—name 11 $when 一 it—happened', '$how_long ', ' $how_many ', M . 
n 1 $alien 一 description 1 , '$what_they_did ', 1 $fang—spotted', '$other 1 f '$email ') M ； 

$result = 


echo 'Thanks for submitting the form.<br / >'; 

echo 'You were abducted ' . $when it—happened; 

echo ' and were gone for ' . $how 一 long . '<br />'; 

echo 'Number of aliens : ' . $how_many . '<br / >'; 

echo 'Describe them : ' . $alien 一 description . '<br />'; 

echo 'The aliens did this : ' . $what_they_did . '<br / >'; 

echo 'Was Fang there? ' . $fang 一 spotted . '<br / >'; 

echo 'Other comments : ' . $other . '<br />'; 

echo 'Your email address is ' . $email; 


you are here ► 
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exercise solution 



<?php 

F*fi\rs 七 


Let’s use everything we’ve learned to finish Owen’s form-handling PHP script so that it can 
successfully store alien abduction data in a database. Finish the code below to complete the 

report. php script. 


TV hew variables hold the 
七 3hd Us 七 o-P "the uscv ~； 
as Chtc\rcd ih-fco the -poVrw. 



si 




flas*t =• f POSTHastha 州 c ]; 

$when—it 一 happened = $—POST['whenithappened']; 
$how 一 long = $_POST[* howlong']; 

$how 一 many = $_POST['howmany']; 

$alien—description = $—POST['aliendescription']; 
$what_they_did = $_POST['whattheydid']; 

$fang 一 spotted = $_POST['fangspotted']; 

$email = $_POST['email']; 

$other = $ POST['other']; 


Y<>u must dormed 七 *to 七 he da*t3basc 
pv-ovidc *thc fv-ofev 

*m-povma*tio^ bc-Povc 叫 

S 夕 L ^uCV-ics -pv-om PHP- 

The ^ucv-y is dcms'brutted as a PHP 
s-tirmj, nr»akmg suire \jo use dd'td 
C'AbrStitd from the -Po\rrw -fields. 


$dbc = 匕七 ('data.alie 灼 l o>/'alic^sv-ool^ 'alic 灼 database’) 

o\r die('&r\ro\r *to MySl$L sc\rvc\r.O ； 

$query = ’’INSERT INTO aliens 一 abduction (first 一 name, last_name, when—it—happened, how 一 long, 
n how—many, alien 一 description, what_they_did, fang_spotted, other, email) M . 

"VALUES ('$first—name 1 , '$last 一 name 1 , '$when—it—happened 1 , '$how_long ', ' $how_many ', M . 
n 1 $alien—description', '$what_they_did ', 1 $fang—spotted', '$other ', '$email ') M ； 

$ re suit = mys^l i__^uc\r jd\)t, f ^uc\ry^ ^^ £>ccdu*tc 七 he <\uCV-y oy\ 

o\r dicO£\r\ro\r database ^； 

.^Y s .^[u^. os ?f. ^ 7 . Close -the database WmedW. 


echo 

echo 

echo 

echo 

echo 

echo 

echo 

echo 

echo 


Thanks for submitting the form.<br / >'; 

You were abducted ' . $when—it 一 happened; 

and were gone for ' . $how_long . '<br / >'; 

Number of aliens : ' . $how_many . '<br / >'; 

Describe them : ' . $alien 一 description . '<br / >'; 

The aliens did this : ' . $what_they_did . '<br />'; 

Was Fang there? ' . $fang—spotted . '<br / >'; 


Other comments : ' . $other . '<br 

Your email address is ' . $email; 


/>▼; 

Co^-pivm *thc suddess-pul 
-poVm submission jus*t like 
you did \y\ 七 he old sdvif 七 . 
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connecting to MySQL 




Tesr DriVq 


Change Owen’s script to use actual form data when you do an insert. 

Remove the $name variable in the report. php script, add the $f irst_name and 
$last_name variables, and modify the $ query variable to use form variables instead of 
static text in the INSERT statement. Upload the new version of the script and then try it out 
by submitting the form in the report. html page a few times, making sure to enter different 
data each time. 
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Now use your MySQL tool to carry out a SELECT and view the contents of the 
aliens abduction table. 


TV>C V>C>M d\\tY\ 
abdut*tiov> 
vepovts appeav m 
*tKc -table jus*t as 
you y/ould c%fcd*t| 


mysql> SELECT * FROM aliens_abduction; 




first—name | last 


name^l when_it_happened | how_long | how_many | alien_description 



Sally 

Sally 

Don 

Shill 

Alf 


Jones 

Jones 

Quayle 

Watner 

Nader 


3 days ago 
3 days ago 
back in 1991 
summer of 1 69 
last November 


5 rows in set (0.0005 sec) 


1 day 

1 day 

37 seconds 

2 hours 
11 hours 


four 

four 

dunno 

don't know 
dozens 


green with six tentacl 
green with six tentacl ‘ 
they looked like donke 
there was a bright lig 
little green men 


TKcvc^s c^*tv "3 v-ow 
o-f data -fov Sally 

K Jones -fvom bc-fovc you 

Wd 如 INSERT 

c^uevy. Por/t v/ovry ， 
you lcav-r\ iioy/ *to 
vcw'ovc ur\y/3^*tcd da*t3 
•m i\\t diiapW- 


you are here ► 
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adding WHERE to your SELECT 


Owen needs help sifting through his data 


The new and improved report. php script is doing its job and automating 
the process of adding alien abduction reports to the database. Owen can just 
sit back and let the reports roll in... except that there’s a new problem. More 
data isn’t exactly making it any easier to hone in on alien abduction reports 
involving a potential Fang sighting. 


rm really stoked that I’ve now got a 
〜 database automatically filled with alien 
abduction reports submitted by users. 
But it doesiVt help me isolate the 
reports that might help me find Fang. 


Owen needs a way to find specific data, such as alien 
abductions where Fang was spotted. 

You know what column of the database contains the information in 
question: f ang_spotted. This column contains either yes or no 
depending on whether the ab due tee reported that they saw Fang. So what 
you need is a way to select only the reports in the aliens_abduction 
table that have a value of yes in the f ang_spotted column. 

You know that the following SQL query returns all of the data in the table: 


SELECT * FROM aliens abduction 


The SQL SELECT statement lets you tack on a clause to control the data 
returned by the query. It’s called WHERE, and you tell it exactly how you 
want to filter the query results. In Owen’s case, this means only selecting 
alien abduction reports where the f ang_spotted column equals yes. 


f 


Remember 1 /VH 6 RE- 

dlduse, -this dauscs dll C^f *tKc 

data m tabic bo be selected. 


The o-f 



Tiic value 


£.olumy\ must loC set 
■to m order (<yr 
data -to be 



SELECT * FROM aliens abduction WHERE fang spotted = 1 yes 



This pa\rt o( the SBLBCT 

' 败 y s-bys the same - the 

INHERE clause "takes of 

whi-ttlmg dowh -the v-csults. 



T\\\s dlause vedutes {Mt da*ta 
v-c*tuv-v>cd by <\ucv-y, o^ly 

-tKc daia v/Kcvc We 七七 ed 

乙 oluwm is sc*t to yes. 
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connecting to MySQL 




Tesr DriVq 


Try out the select query with a where clause to find specific data. 

Use a SELECT query with a WHERE clause in your MySQL tool to search for alien 
abduction data that specifically involves Fang sightings. 



File Edit Window Help HaveYouSeenH 


mysql> SELECT * FROM aliens_abduction WHERE fang_spotted * Y es 


+- 

I first 
+- 


_ + - + --- 

name | last—name I when— it_happened I how_long 

— _I_I - 




I 


Sally 

Sally 

Don 

Shill 

Mickey 


I 


I 


H - 


Jones 
Jones 
Quayle 
Watner 
Mikens 

—— I - 


I 


I 


I 


I 


I 


3 days ago 
3 days ago 
back in 1991 
summer of '69 
just now 
■ — + - 


I 


I 


I 


I 


1 day 

1 day 

37 seconds 

2 hours 

45 minutes 


and counting I 

- +- 


5 rows in set (0.0005 sec) 



- + - 

1 fang—spotted 

.net 

1 yes 

.net 

1 yes 

.com 

1 yes 

.com 

1 yes 

.net 

1 yes ■ 

~~ ~- ——— 



\ 


other 


- + 


- h- 


f may have seen your dog. Contact me. . …… . 

may have seen your dog. Contact me. 

工 really do love potatos. 

工 was out of crqc ： • 4 _ 


—+ 


- h 


/\|| Jc *b^csc \rctovds 

Column se 七 "to yes. 
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owen J s mysql database is up and running 


Owen's on his way to finding Fang 

Thanks to PHP and its functions that interface to MySQL, Owen’s MySQL 
database server receives the alien abduction data from an HTML form and 
stores it in a database table. The data waits there safely in the table until 






+ - 

I first—name 
+ - 


■+ - 

I last—name 
-+ - 


| Sally 

| Jones 


| Don 

| Quayle 


| Shill 

| Watner 


| Mickey 

| Mikens 


| James 

| Decola 



- - 

I when—it—happened 

- - 

I 3 days ago 
I back in 1991 
I summer of 1 69 
I just now 

I sometime in the 70’s 

- - 


how long 


1 day 丨 L， 

37 seconds I 

2 hours I d 

45 minutes...and counting | h 

several years I P 

__ — 


+ - 

I how_many 

+- 

I four 
I dunno 
I don 1 1 know 
I hundreds 
I plenty 


5 rows ir 


f3.ng — spotted | other 


J ma y have seen your dog. Contact me. 

really do love potatos. 

工 wa.s out of eras a +- TT _ ^ — 

I，m thinVHr, a prett y good abduction. 

_“ id _ a^ogranfbunches of^eetLs! abducti _. 


mysql 〉 SELECT * FROM aliens—abduction WHERE fang—spotted = ’yes 1 ; 


Owen gets a chance to sift through it. And when he’s ready, a simple SELECT 
query is all it takes to isolate abduction reports that potentially involve Fang. 


UFO buW ar\d 
lovcv" of da'tabases. 


Cool. Storing the data in a database 
is sooo much better than email, and I 
can now really focus on alien abductions 
where Fang mighfve been seen. 
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connecting to MySQL 


4 


f 






Even though you haven’t seen it all put together yet, match each 
HTML, PHP, and MySQL component to what you think it does. 


aliendcltabclse 

This is the SQL code the PHP script passes to the 

aliens 一 abductfcn table 

MySQL server. 

report.kml 

This runs PHP scripts and returns HTML pages to browsers, 
often communicating with a database along the way. 

The name of the database that contains the 

aliens abduction table. 

report.p}ip 

The HTML form uses this request method to send the 
data in the form to a PHP script. 


POST 

Web serVer 

This is where the data from the report. html form 
will eventually end up being stored. 

This is where Owen collects data from the user. 

MySQL dcttabclse server 

This PHP function closes a connection to the MySQL server. 

Submit button 

This is the name of Owen’s PHP script that processes 
the data users enter into his report. html form. 


This PHP function sends a query to the MySQL server. 

niysc(li_connect() 

This HTML element is used by visitors to the site 
when they finish filling out the form. 

niyscflLcloseO 

This is another name for the software that runs MySQL 
and all the databases and tables it contains. 

niysc(li_c(ueiyO 

This optional PHP function tells the database server 
which database to use. 

niys<^l! 一 seject_db0 

This opens a connection between the PHP script and 
the MySQL server so they can communicate. 


you are here ► 
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who does what solution 










Even though you haven’t seen it all put together yet, match each 
HTML, PHP, and MySQL component to what you think it does. 


aliendcitabctse 


ctliens_abclucti9n table 


report.kml 


report.pKp 


POST 


Web serVer 


Submit button 



MySQL dcttabclse server 




niysc(li_c€>nnect() 


mysc(li_closeO 


mysc(li_c(iieiyO 


niysc(ll_select_cll30 


This is the SQL code the PHP script passes to the 
MySQL server. 

This runs PHP scripts and returns HTML pages to browsers, 
often communicating with a database along the way. 


The name of the database that contains the 
aliens—abduction table. 

The HTML form uses this request method to send the 
data in the form to a PHP script. 

This is where the data from the report. html form 
will eventually end up being stored. 


This is where Owen collects data from the user. 


This PHP function closes a connection to the MySQL server. 

This is the name of Owen’s PHP script that processes 
the data users enter into his report. html form. 

This PHP function sends a query to the MySQL server. 

This HTML element is used by visitors to the site 
when they finish filling out the form. 

This is another name for the software that runs MySQL 
and all the databases and tables it contains. 

This optional PHP function tells the database server 
which database to use. 

This opens a connection between the PHP script and 
the MySQL server so they can communicate. 
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connecting to MySQL 



It’s pretty cool that I’ve learned how to insert data 
into a MySQL table but I’m still a little confused about 
how the table and its database were created. What gives? 

Good question. It's true that you need to understand 
how to create your own tables, not just use code presented to 
you. So far you've created a table without much understanding 
of the CREATE TABLE syntax. That’s fine for Owen’s 
single table, but when you need to create multiple tables of 
your own design, it isn't good enough. You'll need to take a 
closer look at the data you're storing in new tables and think 
about the best way to represent it. This is the main focus of 
the next chapter... are you ready? 
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creette and populcite a dcttabase 





You don’t always have the data you need. 

Sometimes you have to create the data before you can use it. And sometimes you have 
to create tables to hold that data. And sometimes you have to create the database that 
holds the data that you need to create before you can use it. Confused? You won’t be. 
Get ready to learn how to create databases and tables of your very own. And if that isn’t 
enough, along the way, you’ll build your very first PHP & MySQL application. 


this is a new chapter 



mailing-list app needed! 


The Elvis store is open for business 

Elmer Priestley has opened his Elvis store, MakeMeElvis.com. 
Demand has been huge. He’s sold a number of studded polyester 
jump suits, many fake sideburns, and hundreds of pairs of 
sunglasses. 

Each time someone buys something, Elmer collects a new email 
address. He uses these to send out newsletters about sales at 
his store. Right now Elmer has to manually go through each 
email address in his list and copy and paste to send out his email 
advertising sales. It works, but it takes a lot of time and effort. 


EUev, 七 he 
uv\d'is\>u*tcd 
o-f oy\l'mC 
^Iv'is ^oodis. 


This is taking too long. Td 
rather be spending my time 
imitating Elvis, not sending 
out emails manually. 


O 


o 



wv-i-tes -this 

加 3il topics 

pas-tes 
3 dd\ress ih 
七 W ^ield. 


com 


Toth 

^V/7ey 


Anne 

^lumbo Andre 


f^yan 




To: 


5 Ut 3 jC£T ： 


Talwg 
^zwed 
Sherid, 
Snow 
Otto 
Hardy 
Deal 
Jagel 
Melfi 
Oliver 
Parker 
Ricci 
Reno 


Ann 
Mary 
Ann 
Jarnes 
Lee 
Anne 
Peter 
Grace 
Zelda 
Clifford 
Joyce 

JaCObs Anne 


Moss 

Day 

Bolger 

Blunt 


Elmcv lias email 
广 addv-csscs tolled 七 ed a 七七 V>is 
^ fo’mt ^ 七 move cvevy dsy- 

拜， ch 乂 

Glenn ol Sno 〜 

A _ 


Tom 

^Kinney A 岔 na 

Meeker A ^' ay 
p owers 

Mans °n An 
Handel ^. ne 

Vl kram 
Joe 

an Diana 

Edward 


■com 


■com 
Be -com 


These fcoflc 
dve oy\ EUcv-^s 


Big Sale! 


end'll r»s*t, ar\d 

look -fov-wavd 
■to lookmj moV"C 
like Elvis wrbh 
EUev’s liclp- 



{) 


■ 



Dear Fellow Elvisonians, 

Big sale this week at MakeMeElvis.com! 
Genuine horse hair sideburns 20% off! 

And don , t forget the ''buy one, get one 
f ree 〃 leisure suits — only three days 

left! 


n 


Elmer spends far too much time copying and pasting 
emails into the “To” field of his client email application. 
He wants to simplify the task of adding new email 
addresses and sending out mass emails. 


a 



104 Chapter 3 








create and populate a database 


Elmer needs an application 


An application is a software program designed to fulfill a particular purpose 
for its users. Elmer needs an application that will keep track of his email 
address list and allow him to send out email to the people on the list by 
clicking a single form button. Here’s how he wants it to work: 


/ Go to a web page and enter an email message. 


IZf 


Click a Submit button on the page, and the message 
gets sent to the entire MakeMeElvis.com email list. 


Let the email list build itself by allowing new 
customers to sign up through a web form. 



With this laundry list of application needs, it’s possible for Elmer to visualize 
his application in all its glory... 


A wet application is 
a ctynamic wet site 
tkat is ctesig[nect to 


fulfill a particular 
purpose lor its users. 


TWis email stu 以 sounds a lot like 

⑼ but 

emdil lis'b vaill build cr«ail 

messages y/ill 50 out *to cir\*t>v*c lis*t- 

Elmer’s is all about 州 afccm. 





The MakeMeElvis.com web application consists of two main components: a form to send 
email messages to people on Elmer’s email list and a form to allow new customers to join the 
email list. With these two forms in mind, sketch a design of Elmer’s application. 
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our mailing-list app design 


Visualize Elmer's application design 


It always help to visualize the design of an application before diving into the 
development details. This means figuring out what web pages and scripts will 
be involved, how they connect together, and perhaps most importantly, how 
you’ll store the data in a MySQL database. 


TKcsc people avc 

vctcivc 七 1 ^七 he 
sends *bo list. 



This is the 
web -Pov-m that 

EUcv- -fills out 
"to ahd 

■to the list. 


sendemail.html 


£lrwCV*’s cr^ail addv*ess |is*t is 
s-to\rcd \v\ a table m a database 
。灼 a AlyS 夕 L dd'tdbdse scv-vcv-. 


Wendy 
Joe Bob 


last_name 

Matthews 
Werlitz 
Franklin 


wwer@ starbuzzcoffee.com 
2ksdqj@gregs-list.net 
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create and populate a database 



So where do we begin in building a 
PHP and MySQL application? Should we 
write the PHP script and then create the table 
to hold the data? Or should we make the table 
first and then the script? 


Joe ： I don’t see how it really matters. We’re going to need the table and the script 
before the application will work. 

Frank: That’s true, but I think we should write the script first so we can test out the 
PHP code before connecting it to the database. 

Jill: But the PHP script’s entirely dependent on the database. It’ll be hard to test the 
script if we don’t have a database for it to connect to. 

Frank: Couldn’t we create the script but just leave out the specific code that connects 
to the database? We could do everything but actually interact with the database. That 
might still be helpful, right? 

Joe ： Not necessarily. Remember, the script’s only job is to take data entered into 
an HTML form and stick it in a database. Or if it’s sending an email to the mailing 
list, the script reads from the database and generates an email message for each user. 
Either way, the database is critical to the script. 

Jill: True, but we didn’t even think about the HTML form. Where does that fit into all of this? I’m thinking we need 
to create the database before we can even think about writing the script. 

Frank: That’s it! First we create the HTML form, then we figure out what data goes in the database, and when that’s 
done we tie it all together with the script. 

Joe ： I’m not sure if that really makes sense. How can we create an HTML form when we aren’t 100% sure what 
data we need to get from the user? 

Jill: Joe’s right. The HTML form still leads back to us needing to have the data for the application figured out first. 
The data drives everything, so we should probably build the database and table first, then the HTML form, and then 
the script that reacts to the form submission. 

Frank: I’m sold. Let’s do it! 


Joe ： I still think we probably need to come up with specific steps of how this application is going to come together... 


Write down the specific steps you think are involved in going 
from design to implementation with MakeMeElvis.com. 
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planning the application 



We really need a plan of attack for putting together Elmer’s application. By breaking 
it down into steps, we can focus on one thing at a time and not get overwhelmed. 


o Create a database and table for the 
email list. 

This table will hold the first names, last names, and 
email addresses of everyone on Elmer’s mailing list. 


elvis store 



o Create an Add Email web form and PHP 

script for adding a new customer to the list. 

Here’s where we’ll build a form and script that will allow 
a customer to easily enter their first name, last name, and 
email address, and then add them to the email list. 




addemaU.p^P 

addemaii.html 



Create a Send Email web form and PHP 
script for sending an email to the list. 

Finally, we’ll build a web form that will allow Elmer 
to compose an email message and, more importantly, 
a script that will take that message and send it to 
everyone stored in his email list table. 



sendemail.html 
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create and populate a database 


It all starts with a table 


Actually, it all starts with a database, which is basically a container for storing 
data. Remember, in the last chapter, how databases are divided internally into 
more containers called tables. 


Like days and weeks in a calendar, a table’s made up of columns and rows 
of data. Columns consist of one specific type of data, such as “first name,” 
“last name,” and “email.” Rows are collections of columns where a single row 
consists of one of each column. An example of a row is 
“Wendy, Werlitz, wwer@starbuzzcoffee.com.” 


calendar 




These daia 

s-tv-ud-tu\rcs av-c 
both tables. 


A database is 
a container lor 
storing data in a 
very structured way. 



Generally, all the tables in a database have some relationship to each other, 
even if that affiliation is sometimes loose. It’s common for a web application 
to consist of multiple tables that are connected to one another through their 
data. But all the tables are still made up of columns and rows. 


A database, 

*»s stoved 

by a 

da-tabasc sewev. 


A table 



taV>\c 


Tables store data in 
a g[ricf-like pattern 
ol columns anct rows. 


These 把 the 幻 




ciY'C 

Irovvs. 



column 1 

<0,um "2 | (olum^~~ 

data 

data 

data 

data 

data 

data 

data 

data 

data 

data 

data 

data 

data 

data 

data 

data 

data 

data 

data 

data 

data 


Thihk o-p B 
database like 

a ^OhtaihCV- 
that holds 
ih-PoVrua-tioh. 


there ^ are no ^ 

Dumb Questi9ns 




-table 


V 


Some o-thc\r -table 


Where’s database data actually 
stored? Can I see the files? 

Database data is typically stored in 
files on a hard disk. And although you could 
certainly look at them, they wouldn't tell you 
much. Database files are binary files that can’t 
just be opened and looked at. That’s why we 
have SQL—to allow us to peer into a database 
and interact with the data stored within it. 
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CREATE your database 


Make contact with the MySQL server 


Elmer’s application design needs a database and a table. Most of the 
day-to-day work of dealing with a database involves interacting with 
tables, but you can’t just jump in and start creating tables without 
creating a database to hold them first. 

The CREATE DATABASE command is the SQL command used to 
create a database. Once that’s done, you can move on to creating a 
table with the CREATE TABLE command. But before you can 
use either of those commands，you have to connect to your 
MySQL database server. You did this back in the last chapter, and 
it required a few pieces of important information. 



A AlyS^L -tool sudh bs 
tk AlyS^L tc\rmihal lets 
you c,oy\y\cti io a MyS 公 L 
database scv-vcv- with 
a valid sc\rvc\r lodatioh, 
ahd password. 


As well as letting a PHP script make a connection to a database and 
perform database actions, the database server location, username, and 
password are the key to using the MySQL terminal or phpMyAdmin. 
And these tools are pretty helpful for getting a database application off 
the ground with the initial database and table creation. 

Since creating a database and table for Elmer’s application only has 
to happen once, it makes sense to use an SQL query to create them 
manually. So fire up your MySQL tool of choice, and get ready to 
knock out the first step of Elmer’s application, creating a database and 
table for the email list. 


The names Elmer. 
That's E-L-M-E-R... 

O 





r 


You av-c hcv-c. 


㊉ 


Create a database and table for 
the email list. 


o Create an Add Email web form 
and PHP script for adding a new 
customer to the list. 

o Create a Send Email web form 
and PHP script for sending an 
email to the list. 
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create and populate a database 


Create a database for Elmer's emails 


To create a new table and database for Elmer’s email list, first we need to 
create the elvis—store database, which will hold the email—list table. 
We’ll use SQL commands to create both. The SQL command used to create 
a database is CREATE DATABASE, which you used briefly in the previous 
chapter. Let’s look a bit closer at how it works. 


CREATE DATABASE database 


name 


TV^C o-f Y\C^I 

database *to be seated 


You need to specify the name of the new database after the command 
CREATE DATABASE. Here’s the SQL statement to create Elmer’s database: 


CREATE 

DATABASE 

is tke SQL 

commanct usect 
to create a new 
database. 


CREATE DATABASE elvis store 


When you execue this statement on a MySQL database server, the 
database will be created. 


File Edit Window Help Don’tBeCruel 


mysql> CREATE DATABASE elvis_store; 
Query OK, 1 row affected (0.01 sec) 



Creating the elvis_store database with the CREATE DATABASE 
command results in a shiny new database but no table to actually store 
data in yet... 



^ you iruh S^L 扣 ds ih the 

tcv-mmal, you always add a scmi^oloh -to -the 
Chd...but hot whch you issue S^L 
though the pftp r,ys n li__ nucv . y 0 


Watch it! 


SQL statements only end with semicolons 
when you use the terminal. 

In your PHP code, your SQL statements don’t need 
to end with a semicolon. The MySQL terminal is 
different, however, and requires a semicolon at 
the end of every SQL statement This is because the terminal 
is capable of running multiple SQL statements, whereas in PHP, 
you only submit one statement at a time. 


elvis store 



N 

database is tv-ca*tcd> 
but rt 乙 a/ 七 V^old 
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now CREATE your table 


Create a table inside the database 


You have to know what kind of data you want to store in a table before you 
can create the table. Elmer wants to use the first and last names of people on 
his email list to make the email messages he sends out a bit more personal. 
Add that information to the email address, and Elmer’s email list table 
needs to store three pieces of data for each entry. 

Each piece of data in a table goes in a column, which needs a name that 
describes the data. Let’s use f irst—name, last—name, and email as our 
column names. Each row in the table consists of a single piece of data for 
each of these columns, and constitutes a single entry in Elmer’s email list. 


EUcir s old text -Pile o( email 
addresses io 

七 lie dhd scdu\ri"ty 0*(* 

a -table- 


TV^c -table »s 

州叫 tould be sWd 

•m 七 he clvis s*tovc da-tabasc. 


elvis store 




、今 ， Wendy 
♦ _ Joe Bob 


Matthews 

Werlitz 

Franklin 


pn athan@wishiwaselvis.com 
wwe r @ starbuzzcoffee.com 
2ksdqj@gregs-list.net 




TKcsc dv-C C.oluw»y\S. 

Ouv- table V^as 七 V^rce. 


^revows. E 此 ho 甿 
匕 0 u 打 “— I 杻 

ahd email address 
ov\t pev-soh. 


mailinglist.txt 


Tatle rows are 
korizontal, and 
tatle columns 
are vertical. 


So now we know that the first name, last name, and email address of a 
customer must be created as columns in the email—list table. Problem is, 
MySQL tables are highly structured and expect you to provide more than just 
the name of a column of data. You have to tell the database a bit more about 
what kind of data you intend to store in the column. 

Pa-ta ^olumr\s'm 
cw'Sil___l* s *t 

email 
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create and populate a database 


Wc need to define our data 


When you create a table, you have to tell the MySQL server what type of 
data each column will hold. Data types are required for all MySQL columns, 
and each column in a table holds a particular type of data. This means some 
columns may hold text, some may hold numeric values, some may hold time 
or dates, and so on. MySQL has a variety of data types, and you need to 
know which one suits your particular data. Let’s suppose Elmer has a table 
named products that keeps track of the items for sale at his store: 


TJjis doh-ta'ms jocj dcs^v-iptiohs 
cadh yrodui ih Elmcv-s siovc- 



TV^C mvcvxW/ 乙乙。山’衫 
av^ value ^ov V|ov/ 

avc m s{pc^ 


product 

Blue Suede Shoes 
Polyester Pants with Sequins 



TV 




id tolunrm c.ov\ia\v\s “hi'ue ID values to ^ m s dedWdl values. 

•fo\r ea 乩 p\rodu^-t *m Ekcv-'s sWc. 

Notice that product is the only text column in the products table. 
There are also decimal numbers for price and integer numbers for 
inventory and id. MySQL has its own names for each one of these 
types of data, as well as a few more such as types for dates and times. 

It’s important to use the appropriate data types when you create table 
columns so that your tables are accurate and efficient. For example, 
text data takes more room to store than integer data, so if 

a column only needs to hold integers, it’s a smart practice to use an 
integer data type for it. Also, if it knows what kind of data a column 
holds, the web server won’t allow you to accidentally insert the wrong 
type of data. So if you have a column that holds a date, you will receive 
an error if you try to insert anything except a date in that column. 


To create a table，you need 
to know wnat type oi data is 
stored in eack table column. 



,hte ^r Number 


(>rodu< 曾 

Blue Suede Shoes 


PniVPCtiar Pnntc 、▲，: !>U C 一 ..!_ 

inventory 

厦 ranrs Wlrn o6C|Ulf 

24 

Stick-On Sideburns 

Elvis wig 

16 

93 

Text 

7 



Integer Number 







Why do you think using different 
data types is better than using 
just text to store everything? 
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frequenly used mysql data types 


Take a meeting with some MySQL data types 

These are a few of the most useful MySQL data types. Remember, you can use 
any of them to describe the data stored within a particular column of table data. 
It’s their job to store your data for you without mucking it up. 


CHAR or CHARACTER. s 

ar\d Vicv- data -to be a set 

Ic^. be 

i-P you have *twt s 七 ^ 
same 


ptc, “ pq 她勹 





She joes by either 

DATETI/VIE ov TI/VIESTA/VIP. 

She keeps -t\ra^k o-P -the daic 
and "time. 




should be whole ； but hc^s hot 
a-P\raid o-P hegative h_bm. tte 
乙 ah also s-to\rc sho\rt ihtcgcv-s ; ih 
v/hidh he S called a TI^YlhT 


Call W»m BU)B. ttc 

likes lav-y y>bs d 

bmav^. data. 




5 ° od ^ ds wiih BLOB 
二 7:: : 取仏 “ 

^ W hu3c 如 4 


VATB keeps -tira^k of youfr 

dsies. She doesh^t 

about the time, -though. 

She s also got a -fva-tcvhal 

■Uih, T/ME, who docs^i 

匕 ave what the daic is. 


Dcpchdihg OY\ you\r vc\rsioh of My£^L, the 

length ^ be dhav-a^cv-s beW /WyS^L 
^• 03 , ar>d up -to 的只弓 dhava^-tev-s ih ^.O.l 
btev* vevsiohs. 


114 Chapter 3 


create and populate a database 


there J are no 

Dumb Qu 


Questi9ns 


Why would I ever use a CHAR when a VARCHAR does 
the same thing with more flexibility? 

The answer is accuracy and efficiency. From a design 
perspective, you should always design your tables to model your 
data as rigidly as possible. If you know without a shadow of a 
doubt that a state column will always hold exactly a two-character 
abbreviation, then it makes sense to only allot two characters of 
storage for it with CHAR (2 ). However, if a password column can 
contain up to 10 characters, then VARCHAR (10) makes more 
sense. That’s the design side of things. So CHAR is a little more 
efficient than VARCHAR because it doesn’t have to keep track of 
a variable length. Therefore, it’s more desirable when you know for 
certain a text column has an exact length. 





Why do I need these numeric types like INT and DEC? 


.It all comes down to database storage and efficiency. Choosing 
the best matching data type for each column in your table will reduce 
the size of the table and make operations on your data faster. Storing 
a number as an actual number (INT, DEC, etc.) instead of text 
characters is usually more efficient. 




Is this it? Are these all the types? 


.No, but these are the most commonly used ones. Well get up 
and running with these for now, rather than bogging things down by 
looking at data types you may never need. 






■f 





Match each MySQL data type to each description of some data you 
might store in a table. 


D 啦 Type 

Description 

INT 

Your full name 

CHAR(1) 

A two letter state abbreviation 

DATE 

Cost of an Elvis wig: 48.99 

TIME 

How much money Elvis’s best-selling album made. 

VARCHAR(2) 

Date of alien abduction: 2/19/2004 

DEC (4,2) 

Number of Elvis sideburns in stock: 93 

VARCHAR(60) 

Did you see Owen’s dog? Y or N 

CHAR(2) 

Your email address 

DATETIME 

When you eat dinner 

DEC (10,2) 

How many aliens you saw when you were abducted 

When Elvis was born 
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whafs my purpose? solution 








Match each MySQL data type to each description of some data you 
might store in a table. 


Wo-t heeded. Although i-t would wov-k 

士 饮 state abbreviation CHARCV 

_? bcUcir dhoidc because it s usually 
a I'Ulc move c-f-fi^ichi y 

D 啦 Type 


INT 



TIME 


^ARCIIAR(2) 


DEC (4,2) 
VARCHAR(60) 
CHAR(2) 


DATETIME 


DEC (10,2) 


DEC is gchcv-ally 
used -to s-fcov-c pv-idcs 

i 妁 dddi'tioh "to otlicv" 

decimal values. 


These *Uo y^umkev-s s\\o^i 
V^ovi w\ 3 yiy 七 
da*tabasc should e 平匕七 
•m -fv-or\*t *tV^c 
a^di ho … 七 cv~. 


Description 


lAA^a the a value 6 扣 

vav-y, VhRCm *»s a ^ood ^o»^. Make 
\i |onj -to VJd w^a-tevcv value 

someone Vill probably ^cd *to sW- 




you khow 

exactly how 你 3iv\y 
^ha\ra^-tc\rs -fco 

d 匕 olur^. 

Cost of an Elvis wig: 48.99 U se CH/\R. 


Your full name 


A two letter state abbreviation 



How much money Elvis’s best-selling album made. 
Date of alien abduction: 2/19/2004 


Number of Elvis sideburns in stock: 93 


Did you see Owen’s dog? Y or N 


Your email address 


When you eat dinner 

How many aliens you saw when you were abducted 


When Elvis was born 


V^u r^y have dhsy/(\rcd 
hc\rc, but tv-uc 
Elvisohiahs will khow -the 
exadt date tirwe. 


Thc\rc oiirc arguably othev- 
fpotchtially bettev*) ways "fco 
\rcp\rcsch*t a yes/ho value ih 

%s 公 l 七， usm 3 emen, 

but this ways st^aight-fov-wolv-d 
\rcasohably 
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Create your table with a query 

We’ve got all the pieces that we need to create our table, even 
a good name (email—list). We also have names for the 
columns of data: first—name, last—name, and email. 
All that’s missing is the data type for each column and an SQL 
statement to tie it all together and create the table. The SQL 
command to create your table is CREATE TABLE. 

It begins with CREATE TABLE then your table name. Two 
parentheses hold a comma separated list of all the column 
names, each one followed by a data type. Here’s what the 
command looks like: 



☆p, y/cVc still heve . bu 七 

v/cVc aUost veady *to move or\. 


㊉ 


Create a database and table 
the email list. 


Create an Add Email web form 
and PUP script for adding a new 
customer to the list. 


❺ Create a Send Email web form 
and PHP script for sending an 
email to the list. 


CREATE TABLE table name 


The table 




col umn_namel col umn_ typel r 

col umn_name2 col umn_ type2 r data type 

— 一 or the dolurrth 


You dov\i iiavc to tables 

and Columny\S iAir\dcvsdoV"C 

scp3v"3t>^5 wovds WH a jood 
loc to\r\s*is*bcr\*t wVtii 



Move tolumhS, 
i-f needed 


Tke CREATE 
TABLE SQL 

command is 
used to create a 
new tal>le in a 
ctataLase. 


^harpefi your pencil 


Write an SQL query to create Elmer’s email—list table with the three 
required columns of data: first name, last name, and email. 
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test-drive your CREATE queries 

- ^ikdrpen your pencil 

Solution 


Write an SQL query to create Elmer’s email—list table with the three 
required columns of data: first name, last name, and email. 


ttcirC S "the domnrtdiDci "to 

"the -table, r>otidc -the da^s. 


7~V)C O^Cir\nr\^ 
opc^s ■t^c l»s*t o-f 
乙 oluwms *bo Create. 


CREATE TABLE email list 


Youv tables name should be Uapsc 
dhd Kdve dn ^dtrstorc m o\ 


a^Y spates. 


-fi\rsi_^amc \MRCHARf 2 - 0 ), j^ c to_a sc\>av-a*tcs i\\t 

) toluwms kc'm^ tvca*tcd. 
last Mmc W\RCttAR(ZO ), 〆 


email vmewm^o) 


^ ,os ^9 pa^chthcsis ’ 

closes -the list ^olurvms. 



TiiC \r\3mC 

dolumn 七 h 七 S*toVCS 
七 Cvtndll ddclV"CSS. 


This tclk My^L that the 
wail dolu^ has a l/ARCHAR 
daia i y?c . The Uo) 

that the texi it holds ^ be 
up -to ^>0 ^hav-a^tevs lohg. 




Tqst DriVq 


Create Elmer’s database and table. 

Execute the CREATE DATABASE and CREATE TABLE queries using a MySQL 
tool to create the elvis store database and the email list table within it. 


CREATE DATABASE elvis_store 

CREATE TABLE email_list (first_name VARCHAR(20) , last_name VARCHAR(20) , email VARCHAR (60)) 

Did both queries execute without a hitch? If not，write down 
what you think might have gone wrong. 
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create and populate a database 


Hang on, something aiiVt right here. 
I entered the code to create the 
table exactly like we drew it up...and 
now rm getting some weird error. 



File Edit Window Help Oops 


s dll shook up bedduse 

his CRBATB TABLE 

s-btcmch-t is -flawless, yet 
the /WyS^L 
V-Cpo\rtihg ah cv-v-ov-. 


The CREATE TABLE 

but the /WyS^L tevWmal 
doesh^i know whidh database it 

bemg ^v*c3*tcd m … 灼 。七 good. 




s 



first—name VARCHAR(20) A 
last_name VARCHAR(20), 
email VARCHAR(60) 

)； 

ERROR 1046 (3D000) : No database selected 


For some \rcasor) the CRBATB TABLE 

s-ta-terwe^t -failed the MyS^L tevWmal. 

A , table r r f database 
frettiwg the -eaft iw frowt of the mm 

Elmer has a legitimate problem that has to do with the fact that the MySQL 
terminal doesn’t automatically know which database you’re talking about when 
issuing commands. Sure, it knows that you just created the elvis_store 
database, but there could already be plenty of other databases stored on the 
same server — it can’t just assume you’re talking about the one you just created. 

Fortunately, there is a simple solution that involves telling the MySQL terminal 
which database you want targeted by all subsequent statements... 


tWei^re nQ o 

Dumb Questi 9 ns 




What’s up with the weird -> prompt I get sometimes in the MySQL terminal? 


The -> prompt indicates that you’re entering a single statement across multiple 
lines—MySQL is basically telling you that it knows you’re still entering the same 
statement, even though you've hit Return to break it out across more than one line. 
Once you finish the statement and put the semicolon on the end, MySQL will execute it. 
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don’t forget the USE command! 


USE the database before you use it 

So that the CREATE TABLE statement will work, Elmer needs to 
select the database in the MySQL terminal so that it knows 
what database the new table belongs to. The USE command 
chooses a database as the default database in the terminal, 
meaning that all subsequent commands apply to that database. 
Here’s how it works: 


The USE tells MyS^L 

dd'tdbdse you "to use- 

USE database name 


Elmer should specify his database name (elvis_store) in a 
USE statement to select the database and access his new table. 


Tlie USE 

commanct selects 
a database as tke 
default database 
lor sutseejuent 

SQL statements. 



USE elvis store 


database youd 
like *to IX 洗 . 



Out you pi 匕 k a database b> 

USt, oi\\tr databases ort i\\t 
database scv-vc\r arc iyorecl … wtil 
you 吐 oose *to USt a di 以 W ⑼ t o”e. 


"The use 匕 ommdhd 

looses -the database 
you waht -to work wi-th. 
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create and populate a database 




Tesr DriVq 


First USE Elmer’s database, then create the table. 

Execute the USE query to select Elmer’s elvis_store database 
in a MySQL tool, and then execute the CREATE TABLE query to 
create the email list table inside the database. 


USE elvis_store 

CREATE TABLE email_list (first_name VARCHAR (20) , last_name VARCHAR(20) , email VARCHAR(60)) 



The table 

匕 ode is the 
3s bc-Pov*c — it just 
needed the daiabdse 
sclc^cd bc-Povc it 

would wo\rk. 


I File Edit Windov 



TV^c USE sta 七⑽⑼七 r^essa\ry 

i-f youVc us'm^ d "tool 

su\\ as - it verves you 

{jo select da^basc yapically 

bc-fovc issum^ S6^L- £.orwm3^ds. 


mysql> USE elvis store; 


Database changed 

mysql> CREATE TABLE email list 


first_name VARCHAR(20), 
last__name VARCHAR(20), 
email VARCHAR (60) 



VV»*tK i\\t database selected 
*tKay\ks *to *tV^c USt 
七 he -table 伙 eaW ^ 
y/OV~ks y/l*tK v\o fVoklcW'S. 
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the DESCRIBE command 



There isn’t exactly an undo option in SQL but it’s 
certainly possible to fix mistakes. 

However, first you need to find out exactly what kind of mistake has been 
made in order to fix it. Suppose the email—list table looks like this: 


email list 


first naem 

last 一 name 

email 





Circle what you think is wrong with this table. Any idea how 
you might fix it? 
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PESCRIPE reveals the structure of tables 

Repairing a mistake in a table first involves finding the mistake. Even if you 
don’t suspect a mistake, it’s never a bad idea to check your work. The SQL 
DESCRIBE command analyzes the structure of a table, displaying a list of 
column names, data types, and other information. 

table name 


DESCRIBE 


Plugging in Elmer’s table name gives us the following SQL statement: 


- This is the hdrvte of 

DESCRIBE email_list the -table wc waht 

一 see dcsMbed. 


Uhdcv Ticld" you 
ea^ tolumh. 


M Ty P c w you s ( 
■the daia types wc 

sci 從 h 匕 olu 味 



mysql> DESCRIBE email—list; 

+-+- 

I Field I Type 


- + -+-十-+ 

Null | Key | Default | Extra | 

_J-- - h - 卜 


_ 


first_naem 

last_name 

email 


varchar(30) | YES 
varchar(30) I YES 
varcharJ^O) I YES 


I varc] 

皆一一 


NULL 

NULL 

NULL 


3 rows in sety/(0.02 sec) 



there jetre no o 

Dumb Questi9ns 


MyS^L is hot CBiSt schsitivc wheh 
it domes -to \rcsc\rvcd wov-ds, sudh as 
da*ta types, whidh is why you may 
sorwetimes SCC -them ih \o\ 


>wc\r^asc. 


What’s up with those other 
columns: Null, Key, Default, and Extra? 

MySQL lets you set a number of 
options for each column in your table. These 
options control things like whether a column 
can be left empty or if it has a default value. 
Well explore these a bit later when they 
become more critical to the application. 


So if I actually had data stored in 
my table, would it show up here? 

No. DESCRIBE only shows you the 
table structure, not the data stored in it. But 
don’t worry, you’ll see the data in your table 
very soon... but first we have to learn how to 
actually put data into the table. 


Q/ Can I look at the same table 
structure using phpMyAdmin? 

Yes. Graphical database tools such as 
phpMyAdmin allow you to view the structure 
of tables by issuing a DESCRIBE 
statement or by clicking a visual view of a 
table. It's entirely up to you which kind of tool 
you use to analyze your tables. 
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DROP your table 


TV^c toluwm 

v/as a^dcyrtallY 啪畔 lied 
»(*iv*s*b y\3Cw … oo?s! 


I fixed the typo and tried to run the 
CREATE TABLE query again. It didiVt 
work. Surely I don't have to delete the 
typo'd table first... do I? 


^firs t nae: 
i last_na 
I email 

+ - +-+ 

3 rows in set (0.02 sec) 


Type 

| Null 

L j 

1 Key 

L I 

I Defa 

1 

varchar(30) | 

I YES | 

r - H 

l I 

1 - 

| NULL 

varchar(30) | 

I YES | 

i l 

| NULL 

varchar(60) | 

YES | 

l 

I NULL 


+ - + - + - + 

It I Extra I 

--+ -+ 


_ + ■ 


■ + _ 


_ + - + 


J 


Actually, you do. You can’t recreate a table again with 
CREATE TABLE once it’s been created. 


Once you’ve created a table, it exists and can’t be overwritten by a 
new CREATE TABLE query. If you want to recreate a table from scratch, 
you’ll have to delete the existing one first, and then start over again. 


In SQL, the DROP 


TABLE command is used to delete a table from a 


database. It deletes the table and anything you’ve stored in it. Since no 
data exists in a new table, we won’t lose anything by dropping it and 
creating a new one with the f irst_name correction. 


DROP TABLE email list 


TKc *tV^c table 

'd like *to 

-tKc database. 


r ( 

A*vo» 


、 Tk DROP TABLB 如 d 

deleies a tabic AHV dll its 

data -f\rorh the database. 
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Elmer's ready to store data 

The CREATE DATABASE, USE, and CREATE TABLE SQL 
commands were successfully used to create Elmer’s email list 
database and table. Elmer couldn’t be more pleased, unless 
maybe the table was already filled with eager customers. 
That’s a job for PHP... 


Nice. With the database 
and table created, Tm 
ready to start storing some 
serious mailing list data. 


O 


elvis store 



cma'ilj'ist -table / 

to^s'isls toluwms 

vised *to s*tovc data 

-fov- 它 Uev’s list 


iJieretare no o 

Dumb Questions 



Hey, I have a copy of Head First SQL (great book, by the 
way). In that book, every time you show the code for an SQL 
statment, you put a semicolon after it. Why not here? 

We're glad you enjoyed Head First SQL. The difference is that 
when you talk to MySQL directly, you need a semicolon so it knows 
where the end of the statement is. That’s because it’s possible to 
issue multiple statements to MySQL directly. In PHP, when you use 
the mysqli—query () function, you only execute a single SQL 
command at a time, so no semicolon is needed. But don’t forget that 
you do still need a semicolon at the end of each PHP statement! 


So if my table has data in it and I drop it, all my data is 
deleted too? 

That is true. So drop tables with care! 

So if I need to change a table with data in it, I’m out of 

luck? 

Hey, no one is perfect. Everyone makes mistakes, and SQL 
offers the ALTER statement to help us change existing tables. Well 
talk about this command a bit later on in the book. 
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the addemail.php script 


Create the Add Email script 

Elmer needs an HTML form that can collect names and email 
addresses from customers. Once he has those, he can grab them with 
a PHP script and store them in the email—list table. The web 
form (addemail. html) requires three input fields and a button. 
The form action is the most important code in the form since its job 
is to pass along the form data to the addemail. php script we’re 
about to create. 


You a\rc Y\oyN 


-Q ― greato a database and table^For 

Q Create an Add Email web form 
and PHP script for adding a new 
& customer to the list. 

❺ Create a Send Email web form 
and PHP script for sending an 
email to the list. 



q o rs 


The -Povrw a^-tioh is what 
the HT/l/IL web 
with the PHP sdv-ipt 
"that 

p\ro^csscs its da-ta. 


^ El^ii ■ Ada 




Lskururm 

Embj 




addemail.html 


Wcw ^ustomcirs avc able io 

joih ELc\rs email list (yi 
added io his daiab^se) 
simply by usihg -the web 



〈” name-email" /><br /> 

</html> 


TKc addemail ^ 

sfirip 七 k r\AY\ 

七 fovw' is subw'i*t*tcd) 

and i*b jot ,s *to 

pv-otess i\\t -fovw' 
data and add *t^c 
tusWcv- *to c^ail 
list (database table). 



elvis store 


email list 
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The addemail. php script processes data from the Add Email form. The script should take 
the data from the form, connect to the eivis_store database, and insert the data into 
the email—list table. Help Elmer by first writing an example SQL query to insert a new 
customer, and then use that query to finish the PHP script code. 


仏 3 七 ihscirts data 
iirto table. 
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exercise solution 



E/eitctSe 

SoLytiOH 


The addemail. php script is called upon to process data from the Add Email form. The script 
should take the data from the form, connect to the eivis_store database, and insert the 
data into the email—list table. Help Elmer by first writing an example SQL query to insert a 
new customer, and then use that query to finish the PHP script code. 


INSERT ll^/TO entail lis*t las*t 灼 cwil) 

_ ■ _ ■ _ ■ 

W\LU6S OvJuliaA julia^^bv-cak^cdkpiz^.dom 1 ) 



Hc\rc a\rc -the POST 
away values iha-t 仏山 … 

七 he submrtted m-fov-rwa-tio^. 


Uc e INSERT <\uery is 

vo/v’rtt ⑶ as a PWP 

oy\ -fovm daia (or mscvtio^. 


<?php , 

$dbc = rv\ys^|i 外? 


cUcr, 如 kiy^’, 'cIvis^sW') 

■•鏖 •• ••參 參 •••••*** 


or a.c(W. . 

參* 參# •參•■參 參* ••• 

$first name = $_POST['firstname']; 

f last^amc =； i 和 .O;. 

. 

$query = w |NStRT INTO ^ailj»st! as ^ amC, . ^ 3 ' 11 •• 

w \/Alues 巧 : f »r s iL—. 心 . : 扣 心 .: fX). 

mysqli_query ( fdbd, f^uCV*y … ..） 

ov d\tC^YY 0 >r ”9t . 

echo * Customer added .; 


、 :/ 也乙 ! 0 ： ^ 却 ;. . 


?> 


I*P we v/a^ied -fco be -Pa^dy hcv-c, 
we dould pu-t a I’mk ba^k -to ouv 
*fo\rm wi-th av\ HTML <a> -tag. 


r> 


addemail.php 
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Tesr DriVq 


Try out the Add Email form. 

Download the code for the Add Email web page from the Head First Labs web 
site at www. headf irstlabs . com/books /hf php. It’s in the chap ter 03 
folder. This code consists of Elmer’s web form in addemail. html, a style sheet 

(style . css), and two images (elvislogo. gif and blankf ace • jpg)- 

Now create a new text file called addemail •Php, and enter all of the code on 
the facing page. This is the script that will process Elmer’s web form and add new 
customers to the email—list table. 

Upload all of these files to your web server and open the addemail. html page 
in a web browser. Enter a new customer in the form, and click Submit. 


VoY\t -Poirgc-t "to 

the database 

乙 ormc 亡 tioh v^Hables 

"to youir owh. 



朽 n o 


Make 由 ElMii - AdiS ln\Ai 


卜 la 以解 

Enurf 样 iirfrp np™. u M 赢 c 

r-t Mi Elvh- 


Jukin 


Lau rumt 


Efniii 沪 





Make rtdu trra 


T\\C *mscv-t*ior\ o^ 
i\\t tus-bomcv- 
-to i\\t email list is 
iv~w\cd by 

addcma'il ^p script. 


Check to see that the customer was added to the database by issuing a SELECT 
query in a MySQL tool. 


mysql> SELECT ^ FROM 


email list/ 


first—name I last_name | email 


Julian 


Oates 


julian@breakneckpizza. i 


row in set (0.0005 sec) 
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test your SELECT skills 



Is the star in the SQL SELECT command the 
same thing as an asterisk? 

Yes, it’s the same character on your keyboard, located 
above the 8 key. Hit SHIFT at the same time as the 8 to type 
one. But although it's exactly the same character as asterisk, 
in SQL lingo, it's always referred to as a star. This is a good 
thing, since saying “SELECT asterisk FROM...” is 
not as easy as saying “SELECT star FROM...". 


Are there other characters in SQL that have special 
meaning like the star does? 

While SQL does have other special, or reserved, 
characters, the star is the only one you need to know about 
for right now. More importantly for our immediate purposes, 
it's the only one used in the SELECT part of an SQL 
statement. 



『pen your pencil 


With Elmer’s email list starting to fill up, help him write some SQL 
queries that he can use to find specific customer data. 


Select all of the data for customers with a first name of Martin: 


Select only the last name for customers with a first name of Bubba: 


Select the first name and last name for the customer with an 
email address of ls@objectville.net. 


Select all of the columns for customers with a first name of Amber 
and a last name of McCarthy: 
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Pile FHit Window Help Elvismles 


_ __ 


•ast name I e 
_ A — 


_ _ 



Very cool. Now that users 
can subscribe to my email 
through a web page. The list 
pretty much builds itself. 


Louis 

Bubba 

John 


Oates I julian@breakneckpizza.com 

TrmAs I jonesQsimuduck.com 

Sanchez I sunshine@brealcneclcpizza.com 

Wallace I bo@bOttOmsup.com 

McCarthy I a^er@brea k neclcpi Z za o Co m 

Hurst I churst@boards-r-us.com 

Zlltr I joyceharper@breakneckp.zza.com 

Meyer I meyers@leapinlimos.com 

Wilson I martybaby@objectvxlle^ne 

Perala I walt@mightygumball.net 

I nn , craftsmangbreakneckpizza.com 

- Uny ° n 1 ； oe_m@starbuzzcoffee.com 

I bruce@chocoholic-inc.com 

I pr@honey-doit.com 

, on I bertieh@objectville.net 

‘ n I gregeck@breakneckpizza.com 

I wilmawu@starbuzzcoffee.com 
一 __ I samjaffe@starbuzzcoffee.com 

Shaffer I ls@objectville.net 

Shakespeare| bshakes@mightygumball.net 

^ I johndoe@tikibeanlounge.com 


ano 




一 Jffe 
Shaffer 



This ish'-t the Chd o( 
七 he dd'td …日 

jus-t has a rapidly 
g^rowihg Wmg list/ 




But the email list can’t send itself. 

Elmer’s still missing the other part of the web application, the part 
that allows him to enter an email message and have it delivered to 
everyone on the email list. To do this, he’ll need a new HTML form 
and a PHP script to put it into action... 




2 - is doY\t\ 





> - ~^f s e€^e-4h-€l«4 : @fe«se-« 

-the-email Itstr- 

md table for 


i 明 k r - 

and PHP sa ■ i ut ~fur~udd irty u tww- 


o Create a Send Email web form 
and PHP script for sending an 
email to the list. 
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sharpen your pencil solution 



With Elmer’s email list starting to fill up, help him write some SQL 
queries that he can use to find specific customer data. 


Select all of the data for customers with a first name of Martin: 

SELECT ^ FROM cmaiMist -fivs*t_^amc — 


\. 

^ The star sclcdts alL*t^c 

C.oIu»wk\S m "tsblc- 


I This INHERE clause tv-i^s dowh ihc 
Aueiry v~csul*ts -to ohly those ^us-fcorncv-s 
with 3 -Pilrs-t 刎狀 tm. 


Select only the last name for customers with a first name of Bubba: 

SELECT las*t_^amc FROM cmaiMist 1 /VttERE — 'Bubba^ 

.f.. ’ . 

Dhly 七 he Ids 七 dolumh is 

\rctu\rhcd ih the <^uc\ry vcsults. 


Select the first name and last name for the customer with an 
email address of ls@objectville.net. 


SELECT -fi\rs*t_^amc, las*t_^amc FROM cmaiMis*t IVHERE email — Is^ob^cd-tvillc 

. ’…… c.^. 

You spedi-fy multiple dolum^s of v*csul*t da*ta 
by scf3V*a*tm5 dolumr> v/rth dommas. 


Select all of the columns for customers with a first name of Amber 
and a last name of McCarthy: 


SELECT ^ FROM email—list INHERE — '/Wbc〆 AND last_^amc — 1 綠 Cav^hy’ 


The 1/VttERE clause ^ be made dcpchdc^t oy\ 

你 ultiple pieces o( ih-Pov-matlOh, *m this case a 
r^a-Uh 4\r both a -filrst holme AND a last hdme. 



132 Chapter 3 











create and populate a database 


The other side of Elmer's application 


Sending email messages to people on Elmer’s email list is similar in some 
ways to adding people to the list because it involves an HTML web form 
and a PHP script. The big difference, is that sending an email message to the 
mailing list involves dealing with the entire contents of the email—list table, 
whereas the addemail. php script only deals with one row of data. 


TV^c Email web ^o\rw> 
allov/s EUcv- -to cir\*tcv- a 
subjet-b ay\d body <^f ^ 
email message, Bv\d 从⑼ stv\d 

rt "to Ms email list- 


令 






-gpeate-^-skHtebase and-to b h e -for 
■+He~#moiU4stT- 


Cne^te-an Add Cmai • 卜 w g brform 
•^4-PHP sc ript~f gr~atfcHngt3rfi€w 

-€4ist©map to the-tistr- 



Create a Send Email web 
and PHP script for send in 
email to the list. 


Id- 


v-c 

-f inally 

las 七 s*tc\>. 


PmHl.Fc-FrtWrtuw ONI.r 

咖咖咖 Dn 抑咖 ml ㈣ 


BiMj* IWTUIJ. 



^orm method="post" a'ctTon="sendemail .php"> 

〈label for="subject">Subject of email:</label><br /> 
〈input type="text" id="subject" name="subject" size= 
〈label for="elvismail">Body of email ： </label><br /> 
<textarea id="elvismail" name="elvismail^ rows="8" cols 
〈input type="submit" name="submit" value="Submit /> 

</form> 

</body> 

</html> 


60 " /><br /> 

60”></textarea><br /> 


scndc^a'il ^ 七 . 



4 


TKc sc^dcmail ^ stnft 
redds tusWcv-s ^v-om 
•tKc database table 
f ad se^ds tUcrs era'll 
message -to ca^ o-f 




sendemail.html 
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the sendemail.php script 


The nuts and bolts of the Send Email script 

The sendemail. php script must combine data from two different sources 
to generate and send email messages. On the one hand，the script needs 
to pull the names and email addresses of the email recipients from the 
email—list table in the elvis—store database. But it also has to grab 
the email subject and message body entered by Elmer into the Send Email 
web form (sendemail. html). Let’s break down the steps involved. 



Use the $_post array to get the email subject and message body from the form. 

There’s nothing new here. Clicking the Submit button in the sendemail. html form sends the form 
data to sendemail. php, where we capture it in variables with a little help from the $_POST array. 



Run a select query on the email 一 list table. 

The PHP mysqli—query () function runs a SELECT query to get the data for the email list. Since 
we want all of the data in the table, we can use SELECT *. 



Fetch the email data from the query result. 

Running a query alone doesn’t provide access to data. We need to grab each row of data in the query 
results in order to have access to the first name, last name, and email address of each customer. 



Call the mail () function to send an email message to each 
customer. 


Sending the emails involves looping through each customer in the email 
list, which corresponds to each row of data in the query results. The loop 
we create here starts at the first row of data, then moves on to the second 
row, and loops through the remaining rows of the data obtained by the 
SELECT query. We stop when we reach the end of the data. 



email list 



The heeds 

加 ail daia -P^om 

iablc. 
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First things first grab the data 


We’re already pretty well versed in extracting data from forms in PHP, 
so the first step is nothing new, just use the $_POST superglobal to store 
away the email subject and message body in variables. While we’re at it, 
let’s go ahead and store Elmer’s email address in a variable since we’ll 
need it later when sending the emails. 


$from = 1 elmer@makemeelvis . com' 
$subject = $_POST[▼subject 1 ]; 
$text = $ POST[ 1 elvismail 1 ]; 


EUev s email address is s-tov-cd ih a 
variable so that we khow exactly 
it is ih dasc it CVClr heeds -fco 

TKc end'll 州 essay fow data's 

s*tovcd •… v^visiolcS) *too* 


The remaining data required by the sendemail. php script comes from 
Elmer’s MySQL database. Pulling customer data from the email—list 
table data into the script requires a SELECT query. Unlike before when 
we’ve used the MySQL terminal to issue a SELECT and look at table data, 
this time we’re doing it in the sendemail. php script and issuing the 
query with mysqli_query (). 




s ouv 




dll or "the dolun^hs 


T\\t f<\ucvy vav-iablc Isolds 

^ ^ W as a ^ ^ ^ ⑽.，旧術 

$query = n SELECT * FROM email list” 


$result = mysqli query($dbc, $query); 


exedu-tes -tk quev-y 

us,h 9 a variable (fdbd) 

3hd a <\uc\ry s-tirihg 



A database £.or\y\c£.*t'»oir\ is v-c<\u'iv-cd 

•m order -to sukrnrt a ^ - 
dc-bails o-f i\\t toY\v\tci ： \oY\ art 
sWd i\\t jd\)t variable. 



So all we have to do is go 
through the query results in 
the $ result variable, right? 


No, the $result variable doesn’t actually hold any query data. 

If you try to echo the $ result variable directly, you’ll see something like this: 

Resource id #3 

The $ result variable stores an ID number for a MySQL resource, not the actual data 
returned by the query. What happens is the MySQL server temporarily stores the results of 
your query and gives them a resource number to identify them. You then use this resource 
ID with the PHP mysqli—fet ch— array () function to grab the data one row at a time. 
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use mysqli_fetch_array() to get the query results 


mysqli 一 fetch 一 arrayO fetches query results 


Once our query executes, we can grab the results with the $ result variable. 
This variable’s used with the mysqli_f etch_array () function to get the 
data in the table one row at a time. Each row of data is returned as an array, 


which we can store in a new variable named $row. tl- C . 

/ Y 七广咖 irctv-icvcs a v-ow of 

X ihc ”7 results ahd 

stoics it ih dh avvay. 



$row 


=mysqli 一 fetch 一 array ($result); 

The vav-iablc f\row is Bv\ 
that initially s-toves the f '^si 
Vow of data -P\rorw ou\r vaults. 



Eadh S6^L ^uevy has i-ts ovm v-csouv-dc ID 
^umbev- -that is used *fco a^dess -the data 
associated v/ith i*ts \rcsul-ts. 


Each time this code is executed by the web server, a row of data from 
the query results gets stored in the $row array. You repeatedly call the 
mysqli_f etch—array () function to step through each row of the 
query results. So the first three calls to the mysqli—fetch 一 array () 
function retrieve the first three rows of data from the table, storing each 
column of the row as an item in the $row array. 


Tke myscjli—f etcli—array() 
lunction stores a row oi 
data in an array. 


$row = mysqli 一 fetch 一 array ($result) 
$row = mysqli 一 fetch 一 array ($result) 
$row = mysqli fetch array($result) 


The fVow variable is sc-t as 
a\r\ray dohtaihihg thv-cc 

clcmCh-ts, ohC -fo\r op 
"the dolur^hs o-p 


匕 h dolumh o-f is s-toved 

as a" \tcm i h the fVow av-v-ay. 



$row 


$row 


$row 
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— your pencil 


As a test to make sure we can actually get the customer data a row at 
a time, finish writing the PHP code to echo the first name, last name, 
and email address of each customer in the email list table. 


$query = "SELECT * FROM email—list"; 
$result = mysqli 一 query($dbc, $query); 
$row = mysqli—fetch—array($result); 
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not the best solution 


(^Sharpen your pencil 

Solution 


As a test to make sure we can actually get the customer data a row at 
a time, finish writing the PHP code to echo the first name, last name, 
and email address of each customer in the email list table. 


$query 


SELECT * FROM email list ，，； 


$result = mysqli—query($dbc, $query); 

$row = mysqli—fetch—array($result); 

cdho fv-ov/C'-fivs-t 的 amd . 11 • fv-ov/Clas-t 的 am〆 ]. 1 ： 1 • f\rov/JTemair] . ^bv- />] 

fVov/ — fVcsult )； 

Cdho fvowC'-fiv-s-t . 1 1 • WovjC\bs{, 的 amd • 1 ： 1 • WovjC. ^bv />) 

fVov/ 二 mys^li^-fc*tdh^a\r\rayffVcsult )； 

cdho fv-owt'-fivs-t 的 arwd • 1 1 • fv-ov/Clas-t 的 am〆]• 1 ： 1 • f\rov/[ l ew\air] . ^bv- / >\* 

fVow — m Y s< \l ^c*td^a\r\ray( fVcsul-t); 

. <bv />) 

fVov/ 二 mys^li -fc*Uii_a\rv >： 

. 身 . — .You have 分 ot to be kidding me. Repeating 

tt\\o fv-owC'-fiv-s-t the same two lines of code over and over 

r 、 is about the dumbest thing Ive ever seen. 

W • 二 Surely there s a better way. 

Cdho / ^<b\r / >\* 

'\rov/ r (f v-csult) i 

Cdho ~ * lamc'J . " . f\rowClas*t^amc ， ] . 1 • 1 . fVow[>w»a“’] . '<b\r />] 

f\rov / 』 - j ^|K_a\r\ray (fVcsul-t); 

tt fVowHas-t 的 ： 1 . fv-oy/rcmaiH . l <bv / > l ; 



There is a better way — we need a loop. 

A loop is a mechanism in the PHP language that repeats a chunk of 
code until a certain condition’s been met, like running out of data. 
So a loop can cycle through each row of data in a query result, 
taking any action we want to each row along the way. 

















































create and populate a database 


Looping for a WHILE 


A while loop is a loop specifically geared toward repeating code while a 
certain condition is met. For example, you might have a variable in a 
customer service application named $got_customers that keeps up with 
whether or not customers are waiting to be helped. If $got_customers 
is set to true, you know there are more customers, so you might call the 
next—customer () function to get the next customer and help them. 
Here’s how this scenario could be coded using a while loop: 


A wkile loop 
repeats code vkile 
a conctition is met. 


/\s 1 。灼 5 as we still 、 

tus-tomcv-s, kccf oy \ loofmj. \ 

while {$got_customers) { 

next_customer () ；^] This is the toAt that 
一 L cxc^u-tcd ^ 

... J tKv-ough the loop. 


} loop Code v/rtWm 

tuvly Wstcs lc*ts you c%ctu*tc as 
Imcs <^f code as you v/a^t 


When we look to see if there are more customers, we’re testing a 
condition. The condition is the code in the parentheses, and it always 
poses a question that results in a yes/no answer. If it’s yes, or true, then 
the action is performed. If it’s no, or false, then we quit the loop. 



A while loop lets us loop 
th\rough ^us-fcomevs uhtil 


When we call next—customer () and proceed to help them, we’re 
performing an action. The action is the code inside the curly braces, 
which is repeated as long as the condition remains true. If the condition 
ever goes false, the loop exits and the action is not repeated again. 
Here’s the general format of a while loop: 


while 




Tk -test dor^ditio^ always \rcsul*b 
•m -tvuc ov -false... keep 
(*bvuc) ov s*tof loofm^ (-r^lsc)- 


( test_condition) { 


action 



Tk loop a^tioh takes plade ouc 
time thlroujli -the loop. 



How do you think a while 
loop could be used to loop 
through the customers in 
Elmer’s email list table? 
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how whileC works 


Looping through data with while 

Applying a while loop to Elmer’s email data lets us access the 
data a row at a time without duplicating any code. We know that 
mysqli_f etch_array () can take a table row and put the 
column values in the $row array, but the function by itself won’t get 
through all of our data — it will store the first row and then stop. A 
while loop can call mysqli—fetch 一 array () to go through 
each row of result data, one at a time, until it reaches the end. 


TVic v/Wile loop is i\\t 

value • 丨一 •fcUh 一 a 代 

Wtior., as 

•bruc data »s available or false 
•，- f y/cVc all out o-f data. 


while($row = mysqli fetch array($result)) { 




echo $row['first name' 


! ! 


row['last—name ， ] 


<u 

cf 


县 


row['email'] . '<br / > 



The loop 
^hoy\ gets 
each 

仏 e -thorough 

the loop. 


TV\C loof a6*t«ov\ 6ov\s»s*ts 
cJc by\ tt\\o s*ta*tcwc 朽七 
栋 a 七 st»6ks i\\t data 
-toyt^cv …狀 a Uc 
Weak a 七七 he c^d- 


月 s S 

TTiC -Piv-st "time ^ ^ 

班 、 ifllOlOl 


針 ay holds the 
\row c^f -the 

CmaiMis-t "table. 


$row 


email list 


f jirst 一 ncmie 

losOjonj^^_ 

t Julian 

Oates 

1 Kevin 

Jones 

1 Amanda 

C=I 

Sanchez 


\ 


\ 


\ 


\ 


\ 


\ 


\ 


\ 


、 Wo re 


.com 


email 

~j^nn@breackneckpizza.< 
jnnes@simuduck.com 

rr chm ft @breakneckpizza.com^ 


ist loop 


醺 


2 nd loop! 


名 s s 

1 J § 





$row 




loo 


Ps_ 


TV stCoY\d tiw'C tiivou^ -tiic loop i\\t 
fVov/ av-vay Isolds i\\t stCov\d v-oy/ o\ *tiic 
email lisi -tablc . scc a Kcvc? 
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The tt\\o s-ta-tcr^Ch-t ihside the 
V/We, loop takes -the daia ih 
■the f\row 針 ay av\d outputs 

^oY^iitd WTML doh-tch-t. 


V V 


$row['first name' 


\ 



$row['last name' 


/ 


/ 


县 



$row['email *] 


舡 HTML Ime Weak 

puts ca^ vov/ of 

data ov\ »*b o^v\ Imc 

OY\ •tVic v-csultm^ 


▼<br />▼ 


TV key used io aucss 
"the airray clc^eni must 
3 dolumh hdme. 

Tke wkile loop 
goes tkrougli 
tke tatle data ， 
row Ly row. 
Wken it runs 
out ol rows oi 
data，it ends. 



V V 


Ketir T 0ateS ： ,^ lian @breakneckpizza.com 
n Jone s : 〕 ones@simuduck.com 

^ a Wallace ChS h ' " Unshine @^eakneckpizza. com 
bo Wallace : bo@bOttOmsup.com 

C^mac M H Car f hy ： amber @ br ^kneckpizza.com 
rmac Hurst : churst@boards-r-us.com 

° YC ^ Harper ： joyceharper@breakneckpizza com 
Stephen Meyer : meyers@leapinlimos.com 
Wa f^p S ° n ： mar tybaby@objectville.net 
= 七 Perala : walt@mightygumball.net 

Joe n Milano n -° n ： C " aftsman ^reakneckpizza. com 
S Mllano - 3oe_m@starbuzzcoffee.com 



The sedohd time -thv-ough the 
loop "the ttho output 

ahothev sco\[acy\U o( ic^i, but 
this "time -the dd'te) ih the sc^ohd 
row W -the table is used. 


/ 




$row['first name' 




s 


§ 


+ '<br />' 



$row['last name' 


$row['email'] 


IVe do^i a^ually use a plus sigh -to add 
stvih^s "togethev- — wc use the dot opev-a-fcov. 


tWc -tViv-ou^ {\\t loo\>> -tV^c 

values s*tov"cd m fv*ow sv-v-ay 

-to *tV^c turret rov/ 

of dd'td. Column y\ 3 mCS 3 VC used "to 
d£.£.ess *t^c values m *t^c av-vsy- 


you are here ► 


141 





no dumb questions about whileQ 



Dumb Questions 

How exactly does the while loop know to keep looping? I 
mean, awhile loop's controlled by a true/false condition, 
and mysqli_f etch_array () returns some kind of 
resource ID, which is stored in $row... That sure doesn’t look 
like a true/false test condition. 

Good observation. As it turns out, PHP is fairly liberal when it 
comes to how it interprets the “true” condition. In short, any value that 
is not zero (0) or false is considered true for the sake of a test 
condition. So when the mysqli—fetch—array () function 
returns a row of data, the $row array is interpreted as true since 
it isn’t set to 0 or false. And since the test condition is true, the 
loop keeps on chugging. What’s interesting is what happens when no 
more data’s available—the mysqli—fetch—array () returns 
false, which terminates the loop. 

So I can control a while loop with any kind of data, not 
just true/false values? 

That’s correct. But keep in mind that ultimately the while 
loop's interpreting the data as true or false. So the important 
thing to understand is what constitutes true or false when it 
comes to the interpretation of other types of data. And the simple 
answer is that anything other than 0 or false is always interpreted 
as true. 

What happens to the while loop if no data is returned by 
the mysqli_fetch_array () function? 

If the query doesn’t result in any data, then the 
mysqli_fetch 一 array () function returns false. And this 
causes the while loop to never make it into the action code, not 
even once. 

So it’s possible to have a loop that never loops? 

Indeed it is. It's also possible to have a loop that never stops 
looping. Consider this while loop: 

while (true) { 

This is known as an infinite loop because the test condition never 
causes the loop to exit. Infinite loops are a very bad thing. 


BULLET POINTS - 

■ A database is a container for storing data in 
a highly structured manner. 

■ Tables store data in a grid-like pattern of 
columns and rows within a database. 

■ The create database SQL command 
is used to create a new database. 

■ The create table SQL command 
creates a table within a database and 
requires detailed information about the 
columns of data within the table. 

■ You can delete a table from a database with 
the drop table SQL command. 

■ The mysqli_fetch_array() 

function retrieves a row of data from the 
results of a database query. 

■ Awhile loop repeats a chunk of PHP 
code while a test condition is met. 


-tbe~smGiUl4s i h- 

-Q ~~gr G Q tc ! a n Add [ m a i l ~wetr foiirr 
and PI IP scrip I fui 1 atldiiiy a new 

customer 4o the list— 


Create a Send Email web 
and PHP script for sen 
email to the list. 


eb formN 
ding an 


r 

Por\’*b -fo\ryb> still 
•bV^at last sUy bo uf. 
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PHP& MySQL Magnets 

Use the magnets below to finish the code for the Send Email script so that Elmer can start sending 
emails to his customer list. As a refresher, here’s how the mail () function works: 


mail(to, subject f msg, 1 From : 1 • from ); 
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the finished sendemail.php script 



PHP& MySQL Magnets 


Use the magnets below to finish the code for the Send Email script so that Elmer can start sending 
emails to his customer list. As a refresher, here’s how the mail () function works: 


mail(to, subject, msg, 1 From : 1 • from) 


Make suv-c *to {\\\s *to 


youv 


ovm Cmdil addv"€ss. 


<?php 
$f rom 


elrnsr@rci 3 .ksrneslvis. com 


$subject = 
$text = 


I 


$ I POST 


The Subject -fov-m -field is 

Subjc£."t ) wllldll IS used 

"to a^^css ii \v\ the f__P0ST av-v-ay. 


POST 


elvismail 


. , I mor-' i thekina' , ' elvis store') 

$d s : 工 1 二： r ， - …… 


$query = "SELECT * FROM email—list n ; 
$result = mysqli—query($dbc, $query) 

or die('Error querying database .’）； 

while($row = mysqli—fetch—array($re S ult)) 

$first name = $row [ 1 first—name ], 

$last name = $row['last_name']; 


TVic email message 

•is cysitrtA m*to 七 " 

•field ^dmed 'IviWil' 


/ 


The email 


cr^ail -text ， 


-Dear $first_name $last name An $ | text | 


row 


email 


: t [ , I $ I msg I 


'From 


from 


echo 1 Email sent to 


to 


<br /> 


/ 


mysqli—close($ db c); 


?> 


The era'll vcd*if*icir>*t> message subject 
message body, av-c passed *m*to ihe mailO 
•fund 七 ’| 。朽， dloy>^ >wi*bV> s ^vorw 3ddv*css. 




The W Cnr»ai| W 匕 olurwh ’m *thc ddidbase 

Isolds *thc dddircss *tlic 
匕 us*tome\r, whi^h the message should 
be addressed -to. 


sendemail.php 


J\ 6 o^«vwat«ov\ message 
c^oed b> 

{y t email addws o\ tach 
duskwev ,s wa， ' c ^* 


Its gChC\rally hot 3 good ided \Y\ *tc\rrws 
sc^uv*i"ty "to pdss dloh^ usc\r— 

diV"C^"tly "to "the rw^ilO 匕七 ion wi'thou't 

^hcd'rng it -Pi^rst. Chaftcv- v-cvcals some 
tc^hhi^ucs -Po\r ove\rdom*m^ -this j>v~oblem. 
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Tesr DriVq 


Send an email to the mailing list using the Send Email form. 

Download the code for the Send Email web page from the Head First Labs web 
site at www. headf irstlabs . com/books /hf php. It’s in the chap ter 03 

folder. Similar to the Add Email page you saw earlier, this code consists of a web 
form in sendemail. html, a style sheet (style. css), and a couple of images 

(elvislogo. gif and blankf ace • jpg)- 

Create a new text file called sendemail •Php, and enter all of the code 
on the facing page. Upload all of these files to your web server and open the 
sendemail. html page in a web browser. Enter an email message in the form, 
and click Submit. 


youV" 3dclv*css 

y/ill *to be o\r\ 
i\\t list m 

ov-dev- -fo\r you *to 
rctcWc a message- 


You've got mail...from Elmer! 

At last, Elmer can send out his MakeMeElvis.com sale emails to everyone on his 
mailing list by using his new Send Email web form and PHP script. He can also 
use the output from the script to confirm that each message is successfully being 
sent. Each time the code in the script’s while loop executes, he sees “Email 
sent to someone@somewhere.com” with the email address of the person in his 
database. The end result is more exposure for his products, and for better or 
worse, more Elvis look-alikes! 


I've sold out of blue 
suede shoes...rm rich! 


EWS ■ SWld 

E_ ~ 



TVic Sad tea'll 
v-edllv does scy\d *to 

addresses stov-cd m {\\t 
database, so be tarc-ful 


^ n. 



O 


-㈣ 1131 

Boij^orcma* 

K; 1 

■fuili _ &nt|f * r *' 


how 







Email sent 
Email sent 
Email sent 
Email sent 
Email sent 
Email sent 
Email sent 
Email sent 
Email sent 
Email sent 
Email sent 
Email sent 
Email sent 
Email sent 
Email sent 
Email sent 
Email sent 
Email sent 
Email sent 
Email sent 


Elvis ■ Sb^iuI 


to: julian@breakneckpizza.com 
to: jones@simuduck.com 
to: sunshine@breakneckpizza.com 
to: bo@bOttOmsup.com 
to: amber@breakneckpizza.com 
to: churst@boards-r-us.com 
to: joyceharper@breakneckpizza.com 
to: meyers@leapinlimos.com 
to: martybaby@objectviIle.net 
to: walt@mightygumball.net 
to: craftsman@breakneckpizza.com 
to: joe_m@starbuzzcoffee .com 
to: bruce@chocoholic-inc.com 
to: pr@honey-doit.com 
to: bertieh@objectville.net 
to: gregeck@breakneckpizza.com 
to: wiImawu@starbuzzcoffee.com 
to: samjaffe@starbuzzcoffee .com 
to: ls@objectville.net 
to:^^^es@mightygumball.net 
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our app needs delete functionality 


Sometimes people wawt out 

As with any blossoming new business, there are bumps in the road. 
It seems some Elvis fans have jumped ship on the King and want 
off Elmer’s mailing list. Elmer wants to oblige, but that means he 
needs to remove the customers from his database. 



It’s a fact of MySQL life — sometimes you need to remove data from 
your database. Elmer needs to expand his application to delete users 
from the emai 1 list table. 


Dear Elmer, 

Ido not wish to receive any 

m0 re sales ema^s for th^ 

Store. I'm still a fan of Elvis^but 

I can no longer look the 
F^ease take me off of your list 
My email is cbriggs@boards-r 

us.com. 

Thanks, 

An Ex-Impersonator 


二 : 

moves r e °i°y Elvish ■ 

1 




iib 


er 3ce L 


ind\ 


Dear Sir, 

f n ft l rsever f ,a ^rgic reactions 
y^ur authentic horse hair 
sideburns, I've decided that 

d ^ in9 ,ike Bvis isn，t 

H ? ,ove a good cape 

Yours Truly, 

Brian Powers 

bp@honey-doit.com 


I suppose not everyone's cut 
out to emulate The King. I need 
to get these people off my list 
so I can focus on the real fans. 


tUcr s hot -too 
akoiA*t los'm^ tusWcvs, ku*t 
he y/ay\*b *to \\ov\or 
v-c<\ucs*b *to be vemoved 


Write down the new application components you think Elmer 
is going to need to implement the Remove Email feature: 
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Removing data with PELETE 

To delete data from a table, we need a new SQL command, DELETE. 
We’ll use DELETE in a new Remove Email script that deletes 
customers’ data from Elmer’s mailing list. In fact, we need a new 
script and a new web form to drive it... but first we need DELETE. 

The DELETE SQL command removes rows of data from a table. 
This makes it a command you should use very carefully since it’s 
capable of wiping out a table full of data in the blink of an eye. 
Knowing this, here’s the most dangerous form of DELETE, which 
deletes every row from a table. 


This is the Jc 

DELETE FROM table_name the tabic you wah-t -to 

delete \rows -Pv-orn. 


e 


the email list. 


Add [ ma t hwdr fonrr 
and PI IP su ip I fui atlJiiiy a new 

customer to the list— 


~Create a Send Email web form 

and PHP script for sending an 

email to the Ifstr- 


Create a Remove Email we 
and PHP script for removi 
customer from the list. 


zb form^ 
ing a 



W\i\^o\Ai oi\\tr i\\t 

PtLETt co^a^A Completely 

emetics a *bablc o-f aH its data- 


Looks like need a 
-sometimes 

des 咖 plar\s 


So we can never delete 
anything from a table 
without deleting everything? 


No, not at all. DELETE can be used to pinpoint a specific 
row or rows for deletion. 

To precisely target the row or rows you want to delete with DELETE, you 
need to tack on a WHERE clause. If you recall from using it with the SELECT 
command, WHERE allows you to isolate specific rows in a query. 



rpen your pencil 



Suppose Elmer had 23 customers with a first name of Anne, 11 customers with 
a last name of Parker, and one customer with the name Anne Parker. Write 
down how many rows of data are deleted by each of these queries. 


DELETE FROM email list WHERE first name 


DELETE FROM email list WHERE first name 


1 Anne 1 ; 


'Anne' OR last name = 'Parker'; 


DELETE FROM email list WHERE last name = Parker; 
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DELETE with WHERE 


Sharpen your pencil 

Sobtion 


Suppose Elmer had 23 customers with a first name of Anne, 11 customers with 
a last name of Parker, and one customer with the name Anne Parker. Write 
down how many rows of data are deleted by each of these queries. 


DELETE FROM email list WHERE first name = 'Anne'; 


DELETE FROM email list WHERE first name = 'Anne' OR last name = 'Parker'; 


DELETE FROM email list WHERE last name = Parker 


23 




O 


^ Tiridk ^ucstioi^l TiiC l3s*t ir>3rwC isy> 

C^UO*tcd> so Y\0 VOV/S deleted — d\\ 
values mus 七 be quoted- 


Use WHERE to PELETE specific data 

By using a WHERE clause with the DELETE command, we target specific 
rows of data for deletion, instead of emptying an entire table. The 
WHERE clause lets us focus on just the row we want to remove, in this case 
one of Elmer’s customers who wants to be removed from the mailing list. 


DELETE FROM email list 


"to 


WHERE email = ▼pr@honey-doit.com▼ 

The har^c a TK*.s pavi clause 

iable to\^ pev^ms a itsi or> b> 

see V-OY/S 

The actual test within a WHERE clause performs a comparison that is 
carried out against every row in the table. In this example, the equal 
sign (=) tests each value in the email column to see which rows 
are equal to "pr@honey-doit. com". If the value in the email 
column of a row matches, then that row will be deleted. 


A WHERE 

clause narrows 
down a cjuery to 
locus on speciiic 
rows ol data. 


Write down why you think the email column is used in the 
WHERE clause, as opposed to f irst—name or last_name: 
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create and populate a database 


Minimize the risk of accidental deletions 


It’s important to understand that although any column name can be used 
in a WHERE clause to match rows, there’s a very good reason why we chose 
the email column for Elmer’s DELETE query. Consider that if more than 
one row matches a WHERE clause, all of the matching rows will be deleted. 
So it’s important for Elmer’s WHERE clause to pinpoint exactly the row 
you want to delete. 

What we’re really talking about is uniqueness. It’s fairly safe to assume that 
email addresses are unique within the email—list table, whereas first 
names and last names are not. You don’t want to create a WHERE clause 
matching the first—name column to "Pat" just to delete a single 
customer — you’ll end up deleting every customer named Pat! That’s why 
Elmer’s WHERE clause is carefully crafted to look for a specific match with 
the email column. 


A WHERE clause 
in a DELETE 

statement lets you 
pinpoint tke row 
you want to remove. 


DELETE FROM email 一 list 

WHERE email = ▼pr@honey-doit.com▼ 


Us'm^ end'll 乙 oluwm ’m 

dlduse iiclps b> cs*tabl*isK 
dv>d vedude v-isk 
o-f a^idc^ially a \ro>w. 


W we used -fi\rst_hamc ih 

C … ail, this usev- would 
a^didchtally get deleted. 


The PELETE ^ucv-y 

代啪 oves this vow -Pvo 

七 he … w 1 

be scch agaih/ 


om 


email list 


first 一 ngme 1 

last,name | 

Joe ] 

Milano 1 

Bruce | 

1 Spence 1 

[Bertie 

r ai ^ 

1 Henderson 

1 Greg 

j Eckstein 

1 """"" Wilma 


1 Sam 

1 Jaffe 

1 Louis 

1 Shaffer 一 

j Bubba 

1 Shakespeare 

1 John 


J (^PaT - 

1 Grommet 


email 


ioe_m@starbuzzcoffee.com 
f^r..rP@chocoholic-inc.com 


bertieh@objecWille.net 
qregeck@breakneckpizza.con^ 

^•■lmnwu@starbuzzcoffee.co ； 
^^pff^starbuzzcoffee.cor^ 
ls@objectville.net 

bshakes@mightygumball.net_ 

卜 Lr W 崩 ikibecmlounge.co^ 

grommetp@simuduck.com 


mysql> DELETE FROM email 一 list WHERE email 
1 row deleted (0.005 sec) 


’pr@honey-doit.com ，； 
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test-drive the DELETE command 




Tesr DriVq 


Try out the DELETE command on Elmer’s database. 

Fire up a MySQL tool and try a few DELETE commands to delete individual 
rows of data from the email—list table based on customers’ email addresses. 
Just make sure to include a WHERE clause on each DELETE statement so that 
you don’t accidentally wipe out the whole table! 


The DELETE commancTs pretty 
handy, but ideally wed delete rows 
of data using a web form and PHP 
script, right? 



That’s right. Deleting users by hand with individual 
queries is no way to manage a mailing list. 

Since Elmer will inevitably face users who want to be removed from 
his mailing list in the future, it makes a lot of sense to develop a 
web-based user interface for removing customers. An HTML web 
form and PHP script should do the trick, not to mention a DELETE 
FROM query with a little help from a WHERE clause... 
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create and populate a database 


£/ 




Elmer has created a web form (removeemail. html) for deleting a customer from his 
mailing list. All the form accepts is an email address, which is entered into an HTML form field 
named email. Finish the code for Elmer’s removeemail .php script that’s called by the 
form to carry out each customer removal. 





M.ik.1^ Mr ttvK Ri-muvs' Ern.ui 


"This -fovm -field 
is hamed “ ⑽ il” 


Enwffift adorei-^ ifi m 叹设 


Ema*i Badran 


(Remove 


Clidk'mg Remove 

button submits *tKc -fovm 

as a POST vc<\ucs*t *to 
i\\t PttP sdv-ip*t. 


<?php 


removeemail.html 


$dbc = mysqli_connect('data.makemeelvis.com ', 'elmer ', 'theking ', ' elvis_store') 

or die('Error connecting to MySQL server.') 


mysqli_close($dbc); 


?> 



removeemail.php 
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the finished removeemail.php script 




iu：tSe 

tytiOH 


Elmer has created a web form (removeemail. html) for deleting a customer from his 
mailing list. All the form accepts is an email address, which is entered into an HTML form field 
named email. Finish the code for Elmer’s removeemail.php script that’s called by the 
form to carry out each customer removal. 




M al ki^ Mr HvK Ri-muvs' Ern.ui 




"This -fovm -field 

is hdmed Enwflfi enall adore« m 

Bnart addraaa: 

f Remwi ' 


Cl'idk'i^ Remove 
button submits *tKc -fovm 

as a POST vc<\ucs*t *to 
i\\t PttP shrift. 


TilC email -fovm dd*td f 一 POST 

is s*toved •… a V3\ri3blc 七 
used m 如 DELETE «\ucvy. 



removeemail.html 



<?php 


$dbc = mysqli_connect('data.makemeelvis.com ', 1 elmer ', 'theking ', 'elvis_store') 

or die('Error connecting to MySQL server.') 

fcmdil —* f P0£>1~C Cmdil 3j iaAjJ-/U ou*t *(*OV* *tKoSC 3irvd 

" double quotes ^cl Uc double 

, , <\uo*tcs <\o av-our\d *t^c >n\\o\c S《L 

f<\ucvy - “DELETE PR_ email—list INHERE email - C^UCVY ^ sm^le <\uo*tcs av-ou^d 

. 从 cc “j addrcss sw m 

o\r d'icCBrror ^uc\ry*mg database/)； 



It hCVCV Kuv-ts -to ^Oh-fivm what 




mysqli close($dbc); 


?> 



po/ 七 -fov-yt *to c\tav\ Uf by 

tlosm^ i\\t database 



removeemail.php 
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0 


^CV/) wcVc 
Jp'mallY -f misiicd! 



0 





Tqst DriVQ 


■gpeqto-a database an d ta b le for 

the email list. 

Crafts ^rr=A^=Et fR3rl _n w r elx f'omt - * 

and PI IP su i … fu i adUiiiy u miw 

■^ys+omep-te-^he-ffstr- 

€f*e€Hte=«*^e^d-&mfN^©b-4em^ 

and PhJP script for sending ar. 

emai l to-t he list：— 

i €r s ®srt^~Q". , R^iTKK'®i2 1 '"EtTreril web°~fop^ 

cr.d PHP script for removing c 

■ eost o mer^#pW ths-list.- 


Remove a customer from the mailing list using the 
Remove Email form. 

This is starting to feel a little familiar, eh? Download the code 
for the Remove Email web page from the Head First Labs web 
site at www. headfirstlabs . com/books/hfphp. It’s in 
the chap ter 03 folder. This code consists of a web form in 
removeemail. html, a style sheet (style . css), and a couple of 
images (elvislogo. gif and blankf ace. j P^- 

Greate a new text file called removeemail. php, and enter all of 
the code on the facing page. Upload all of these files to your web 
server and open the removeemail. html page in a web browser. 
Enter the email address of a customer in the form, and click Remove 
to delete them from the database. 


^ O 


EltfK ■ Esfn&inj Small 



Fniwim rtmii mhwm » 

CiTUU 



^ I 


The script docs the 
di\rty wov-k issuih^ the 

DELETE ^ucv*y thch 

J ^Oh-Pi\rry»ihg the deletion. 
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the mailing-list app is complete! 

MakeMeElvis.com is a web application 


It’s official. With the help of PHP and MySQL, Elmer’s MakeMeElvis.com 
web site is now worthy of being called an application. Elmer can now store 
data persistently in a MySQL database, and also interact with that data 
through web forms. A combination of HTML pages, PHP scripts, and 
embedded SQL queries allow Elmer to add and remove customers to/from 
his email list (they can also add themselves), as well as send email messages 
to the entire list. 
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aasmsg-""" ■ ri 1 


Viva PHP and MySQL! Now that's a web 
application. I can build my email list, send 
out emails to all my customers, and even 
prune the list...all from my web browser. 




The Add 
page adds new 
customers to 
Elmer’s email list. 


addemai* 

addemail.php 






The Send Email 


page sends an 
email to everyone 
on the list with the 


click of a button. 


sendemail.php 




Return to sender! 
Please remove me from 


the Elvis mailing list 


The Remove Email page removes 
a customer from the email list. 


















create and populate a database 



PHP&MySQLcross 

When you’re finished perfecting Elmer’s dance moves, see 
if you can hum along and finish this crossword puzzle. 



Across 

3. A MySQL database is divided into these. 

5. A persistent, highly organized, data structure that is typically 
stored in a file on a hard drive. 

6. This conditional clause can be added to SQL statements to 
control which rows are targeted. 

8. This SQL command removes an entire table from a database. 

9. Use this SQL command to choose rows from a table. 

10. Use this MySQL data type to store a varying amount of text. 

12. Within a MySQL table, this holds a specific type of data. 

13. Keep doing something as long as a certain test condition 
remains true. 


Down 

1. A MySQL data type that stores numbers without decimal 
places. 

2. Use this SQL command to look at the structure of a table. 

4. When dynamic functionality is added to a web site via PHP 

and MySQL, it becomes an. 

5. Use this SQL command to destroy rows within a table. 

7. After creating a new database in a MySQL terminal, you must 
issue this command before you can do anything with the 
database. 

11. A single collection of data in a table consisting of one of each 
column. 
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php&mysqlcross solution 



PHP&MySQLcross Solution 
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create and populate a database 



Your PHP 备 MySQL Toolbox 

Not only did you help Elmer get his 
web application off the ground, but 
you also developed some valuable PHP 
and MySQL skills in this chapter. For 
instance- 


while 

A PttP loof 叫 do 灼 stvu 乙七 

dllows you *to 3 SCd*tlOir\ 

code as lo^ as a 乙咖 d’rbio 於 

*bv"uc* Otit p3v**bi^ul3\rly 
usay 1 。外 |S 

\ y \ •bliv-ou^ vov/s … 

扣 S6JL <\ucv-y vcsult 


mysqli 一 fetch 一 array () 

TWis buil*t-*m PHP Wti OY\ 
relieves a sm^lc v-oy/ o^c data 
-fv-om *tKc \rcsul*U o-f a database 
' 叫 • Yo“a“all tWis WW 
^catcdlv to v-cad v-oy/ ahtr ro^ 


DR0P TAfi LE tableName 

This S^L statcmch*t dvops av\ 
^ -table the database, 

7 ahih 9 ^ ^ ^ble is .e^oved 

t”ith a,y a,d all sWed 
^/•*tnih i*t. 


DELETE FROM tableName 
Use "this S6JL- s*t3*tcnr\Ch*t *fco 

delete V-ov/S -f\rom 3 -(^blc. 

Dcpchdmg oh how you use 七 he 
S*ta*tcmCh*t, you d3h delete 
ihdividual \rov/s o\r multiple yov/s. 

WHERE 


TW ， 勝山心 

to ^rjwtd 祕』 

a vaWc . 


DESCRIBE tableName 

^y° u io -Pihd out the 

s-tvu^tuve a *bble, ihis S^L 

s-tatcmch-t is what you heed. H 
do ^i reveal ahy data, but it 
does show -the ^olumh hdmes ^hd 
■theiir ircspc^ivc dab types. 


SELECT * FROM tableName 

This S<$L S*taicirwCh*t selects V-OV/S 

-fv-om a -table. I/Vhch the stay is 
used all o^c *thc dolumhs -fov 
•the v-oy/s *m -the table avc v-c-tuv-^cd. 
You ddr\ be spcdi-Pid by listm^ 
mdividudl dolur^h Y\^rr\ts ms*tedd o-f 
•the ^ i-P you do^*t y / 扣七 *to 3 亡七 all 

<Jc the 己 olurrm daid badk -fv-om the 

^ucv-y. 
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4 rec|]!stic and practical appliccttions 


Your Application ♦ 
• on the iVeb 

參 



Sometimes you have to be realistic and rethink your plans. 

Or plan more carefully in the first place. When your application’s out there on the Web, 
you may discover that you haven’t planned well enough. Things that you thought 
would work aren’t good enough in the real world. This chapter takes a look at some 
real-world problems that can occur as you move your application from testing to a 
live site. Along the way, we’ll show you more important PHP and SQL code. 


this is a new chapter 


elmer needs a better mailing-list app! 


Elmer has some irritated customers 

Elmer’s customer mailing list has grown by leaps and bounds, but his 
emails have generated some complaints. The complaints vary, but they 
all seem to involve customers receiving blank email messages or multiple 
messages, neither of which is good. Elmer needs to figure out what’s 
gone wrong and fix it. His business depends on it. 







w,cont> 


'Vein 1 Loyal tki( Anrwv«s Cuaion^p 
tl&art 


This ain t good. I wonder 
if it has something to do 
with that Send Email page... 


日 wcv lor\ 。… s he has a 

WUc 、 50^3 -to 

於 ced some V^clp 1 

ou*t ^a*t >*t is. 


on 


LtinluvecI — intacjK 

Fram. LTmny BuGHe 咖 ■0» 叫咖啡吵 jmbaJl.ri 价 
S4ibi£fiE , - COfliUiHilS 

D 抑 • UtWwr 剀，挪 fl 12201 & 剛 
la : rnw 『 刪 amfll 四件 


Hujf Elmur. 

1Ve 棚 ㈣ 侧 W N 咖娜 1 」阳释日 ㈣ _ n 刪細 rn 

州「咖阶帅剛 ru-. non _ 

« 1 _呷 Fromi bltwft K^ietlw <& 


Di ^' Utto&erzi. mm 1Z 23.33 RM cm 


Elnrnr , 
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realistic and practical applications 



dov/r\ v/iia 七 Elrwcv 

tiVmks *tKc pvoblcm is. 


BE th^ etn^l liH 職伊 

Your job is to play Elmer and figure out 
how diose Hank emails are getting sent. 

He suspects it has somediin^ to do witii 

tire sendemail.lrtinl form. 


fhnn 


M.Lkc Mi* Efvii Si«rid Em.ul 


Prfvdtn: FnrFjmR/s UHft QNJ.r 
购 Mndan snail to nailing 

&*i&j€CI flf &fnail： 


■ Submit 


sendemail.html 
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be elmer solution 



sendemail.html 


Submit butWs fv-csscd 
or\ 七 he -fovm W\{\\ m 

Body •field, a bUk email jcls serrb. 

ComC *bo <Jc i"t ； 3^ 

Subject f ield is a pvoblcm *too- 


BE . etn^l \m tnanagei §©]ug©ti 

Your job is to play Elmer and figure out 
how diose Hank emails are getting sent. 

He suspects it has somediin^ to do witii 

tire sendemail.libnl form. 

^/v'i*tc dovm v/ha 七 ElrwCV 
tiVmks *tKc pvoblcm is. 


fhn n 


l-f I didk *thc Submit button 
y/i*thou 七 -fillip ou 七 a message 
body, a blank email yb 奶七 . 


MLtkp Mt* f Ivi% SL B nd Em. 


ul 




PrfVfte ^- FfirFiRW/H UHfl ONLY 

WM&b 加 Mndan #na.i la nailing lls(#pem& 4r3 . 

Su^ea {Jf 


UodVtflwnail; 


162 Chapter 4 












realistic and practical applications 


Protecting Elmer from... Elmer 


So “operator error’ is really the problem here — Elmer inadvertently 
clicks Submit without entering the email information, and blank 
emails get sent to the entire list. It’s never safe to assume a web form 
will be used exactly the way it was intended. That’s why it’s up to 
you, the vigilant PHP scripter, to try and head off these kinds of 
problems by anticipating that some users will misuse your forms. 

Let’s take a look at the code in our current sendemail. php 
script to see how Elmer’s empty email messages are getting created. 


Schd Email uses the 

rjrom the -Pov-m -fco build dh email ； even 
the usc\r didh ； t Chtcv- ahythmg. 




M.tkL- Ml- ElviS l-imJ Kriuiil 


= r 二二 ㈣ —■ 



<?php 

$from = 'elmer@makemeelvis.com 
$subj ect = $_POST[ 1 subj ect']; 
$text = $_POST[* elvismail']; 


TV^c m i\\t ^o\rm is vcVicvcd 
/j^STTsubj 私 V] and f 一 

- P0STrclvismair3, artd is saved m 
fsubject av\d … 


$dbc = mysqli 一 connect('data•makemeelvis•com', 'elmer', 'theking', 'elvis_store') 
or die ( 1 Error connecting to MySQL server .')； 


$query = "SELECT * FROM email—list ”； 
$result = mysqli—query($dbc, $query) 
or die ( 1 Error querying database. 1 ); 


while ($row = mysqli—fetch—array($result)){ 

$to = $row[' email']; 〆 Piroblcm is, wc use fie%i m ou^ 

$f irst—name = $row[ ' f irst—name ， ]，• message whethev the variable 

$last_name = $row [ ' last_name ' ] ; y ^OhtaihS text oy hot 

$msg = "Dear $first_name $last—name,\n$text"; 
mail($to, $subject, $msg, 'From:' . $from); 

echo ' Email sent to: ' • $to • ’ <br /> 丨； ...ay\d ^ ^ so uSC 

—c 細 
\*b ov v\o*t- 




mysqli—close($dbc); 

?> 


Write down what you think should be changed in the 
sendemail. php script code to fix the blank email problem: 


you are here ► 


163 














sendemaH.php needs validation 


Pemand good form data 


Elmer’s Send Email form’s in need of validation, which is the process of checking 
to make sure form data is OK before doing anything with it. Elmer already uses 
validation even though he doesn’t call it that. Whenever he receives an order for 
Elvis gear, he doesn’t just immediately fill it and send it out... he validates it first! 

In the case of an order, Elmer first checks to see if the customer’s credit card is 
valid. If so, he fills the order and gets it ready to ship. But then he has to check if 
the customer’s shipping address is complete. If that checks out, then Elmer goes 
ahead and sends out the order. A successful order for Elmer’s store always hinges on 
the validation of the order data. 


Valictation means 
makingf sure tke 
data you get is tke 
data you expect. 


EUcv- )ias -to 
validate 
Credit tav-d 
tBCM dus*tow>cv- 
bc-fo\rc 

ovdev-. 


The shipping 
3 dd\rcss must 






TVic ov-dev- cmly 
sWips i-f *tV^c 

£.v"cdi*t 乙 

addv-css 
av-c valid* 


To solve Elmer’s blank email problem, we need to validate the form data delivered to 
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realistic and practical applications 


The logic behind Send Email validation 

Elmer needs to validate the data he gets from the sendemail. html form before 
he sends any emails. In fact, sending the emails should completely hinge on the 
data validation. What we really need PHP to do is make a decision based on the 
validity of the form data received by the sendemail. php script. We need code 
that says, “if the data is valid, go ahead and send the emails.’’ 


T*V^CSC "two muS't be 七 •… ovdcv* 

(or data *to be do^sidcv-cd valid- 


IF Subject contains text AND Body contains text 





THEN send email 

\ 

both ^OhdrkiohS avc mci, 
cvc^ry-thihjs Cool, av\d we 
schd the emails out 


Wve bcch schdihj -the emails without 
v/onryi^ 汕 0 认七訕此 Ay 七 U3, is 
ih "tlicsc -Po\rrh -fields. 

iAAtK i\\t Keif validation, wc 
make sure emails art u 士 ss 

bo*th -fovm -f ields toirrts •… da*t3’ 


on 


M.tkL- Mi- Elvi> - Send Ermui 


xoh 

SuUiecflol emarf: 





"submiO* 





sendemail.html 


tJiereiare no 。 

Dumb Questi 9 ns 


I’ve also heard of validating data on the client instead of 
on the server. How does that work? 

The web browser is considered the client, so client-side 
validation would be any checking that occurs before the data’s 
sent to the PHP script. Languages like JavaScript can do client- 
side validation. If you're interested in learning more , check out 
Head First JavaScript, which discusses client-side validation in depth. 


So why use server-side validation instead of client-side? 

If we validate on the client, only part of the problem's solved. 
Elmer could potentially browse directly to sendemail. php and 
send out a blank email. But if we validate on the server, it solves both 
problems. Blank data in the form will be detected as well as blank 
data from the PHP script being directly loaded. This isn’t to say that 
it's wrong to validate on the client. In fact, it's a very good idea. But 
the server is the last line of defense for catching bad form data, so 
server-side validation can’t be ignored. 
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the H statement 


Your code can make decisions with IF 

The PHP if statement lets your code make decisions based on whether or not 
something is true. Consider Elmer’s orders again. Before filling an order, Elmer 
must get paid, which means charging the customer’s credit card. If the customer 
gave Elmer the wrong card number, he can’t fill the order. So Elmer performs a 
kind of real-world validation on every order that goes like this: 

If the customer’s credit card checks out, go ahead and fill the order. 

We can translate this scenario to PHP code using the if statement, which is 
designed to handle just this kind of decision making. 


The basic if statement has three parts: 


o 

❺ 


The if keyword 

This starts off the statement. 

The test condition 

The test condition, or conditional expression, is located in 
parentheses right after the if keyword. Here’s where you put the 
statement that you want to determine the validity, or truth, of. 



The action 

The action of an if statement directly follows the test condition and 
is enclosed in curly braces. Here’s where you put the PHP code you 
want to execute if the condition is, in fact, true. 


Ti^c s*ba 七 emerrb 
bcjms 


This is the dohditio^. Its daH'mo\ a 
❺ {o dhcdk a^d see i^f y/hat’s 

s-tovcd \v\ fdvcdit card is valid. 




o if (isValid($credit—card—num)) 


❺ fillOrder() 

A 


TWis Watc Idc— 


r 

This chds -the a^-tioh 
the i-P s-fca-tcrwCht 


义 ^ hypothetical -Puh^tioh vetuv- 

•brue -false dcpchdihg oh -the 
validity o-P -the tYtd\i cav^d. 


TW»s \s PHP 

Vou V^avc as ^ I'mcs ok 

todt as you WisV^. 
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realistic and practical applications 


Testing for truth 

The heart of the if statement is its test condition, which is always 
interpreted as either true or false. The test condition can be a variable, 
a function call, or a comparison of one thing to another, as a few examples. 
Elmer’s credit card validation relies on a function call as the test condition, 
which means the value returned by the function is either true or false. 




TV "test CoMoy^ 
\s *tvuC ov 


IF credit card^is valid 
THEN fill order 







fillOrder(); 


icsi dohditioh is 
七 he dd 七 ioh s £.3\r\ricd ou 七 . 



It’s quite common to use a comparison as a test condition, which typically 
involves comparing a variable to some value. For example, maybe Elmer 
wants to give a discount to customers who live in Nevada. He could create 
an if statement that carries out a comparison on part of the shipping 
address, like this: 


This is t\ruc i-P the fshippihytate 
vav-iablc ^oh-ta'ms -the text 


IF customer lives in Nevada 
THEN apply discount 


if ($shipping state 


▼ Nevada') 


〆 如 


$total = $total * 0.9 



A 10% disdouh-t is applied 
m i\\t achor\ \( itsi 
tor\di*tior\ is *tv"uc. 


This test condition performs a comparison for equality, which involves two 
equal signs (==). Equality comparisons aren’t just for variables and strings. 

You can compare variables to numbers, variables to variables, and even 
perform calculations. 

. ^ ~ ^oh -t pu-t quotes dv^ouhd 

匕如 -fco see i*f ( $num_iterns == 10) values, 

what is sieved ih ohc — 

Wiablc is -to what ^ ($shipping_address == $billing—address) 

IS s *toired ih dho*thcv-. 



4 ) 

You cav\ tav-v-y out 
opcv3*tior\s m 3 "tcs*t 
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comparing values in php 


IF checks for more thaw just equality 

An if statement can check for more than just equality. The test condition in your 
if statement can also check to see if a value is greater than another one. If it is ， 
the result of the condition is true, and the action code is executed. Here are a few 
more tests you can use to control the decision of an if statement. 


I Vs 0 ^ *to v/v-itc i-f 

S*ta 七 ernerrt oy \ d 

as loy\^ 3s 七 he 

a 乙七 io 灼 is \rclativcly simple. 


ou*t 

•Oiese *bwo variables. 


There are two ways to check if things are 
not equal: <> and ! =. These give you 
the opposite results of an == equality test. 


$small—number = 2; 
$big number = 98065 




Both o-P these ^OhdrkiohS 

3V-C "bruc. 



if ($small_number <> $big_number) { echo 'True 
if ($small number != $big number) { echo 'True 


The greater than sign (>) checks to see 
if the value on the left is greater than the 
value on the right. If so, the condition is 
true, otherwise it’s false. 




This d.or\d»*b»oir\ is -false- 


if ($small number > $big number) { echo 'True 


The less than sign (<) compares the value 
on the left to the value on the right. If 
the left value is smaller than the right, the 
condition is true. 


his dohditioh is tv-uc- 

if ($small number < $big number) { echo 'True 


Greater than or equal to (>=) is like 
greater than (>) except it also results in 
true if the two values are equal. 


if ($small number 


i 


Tiiis dondi*tior\ is -false- 

$big number) { echo 1 True 


Less than or equal to (<=) is similar to 
less than, except it’s also true if the values 
are equal. 


(This ^ohdi'kioh is tvue. 

if ($small number <= $big number) { echo * True 
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How about strings? 
Would ( M dog 〃 > M cat〃) 



Yes, you can compare strings in if test conditions. 

They work based on the alphabet, with a being considered smaller 
than (less than ) 乙 Using greater than and less than can help you when 
you need to present information in alphabetical order. 










realistic and practical applications 



BE th^ |n Sf^emenf 

Your job is to play tire if test condition and decide if 
you are true or false given {ke following variables. 



$my_name = 'Buster 
$a number = 3; 


$a decimal = 4.6 


$favorite_song = 'Trouble'; 
$another_number = 0; 
$your_name = $my_name; 


($a number 

== 3) 


true or false 

($another number == 

If H J 

true or false 

($favorite_ 

song == 

’’Trouble") 

true or false 

($my name = 

:= ’ $your 

name ' ) 

true or false 

($my name = 

:= n $your 

name") 

true or false 

($your name 

i == $my name) 

true or false 

($favorite_ 

song == 

▼ Trouble▼ ) 

true or false 

($a number 

> 9) 


true or false 

($favorite 

food = *] 

hamburger ’ ） 

true or false 
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be the test condition solution 


BE |n jf sf 球 emenf §©]ug©n 

Your job is to play tire if test condition and decide if you are 

true or false ^iven lire following variables. 



$my name 


Buster 


$a_number — 3; 

$a_decimal = 4.6; 

$favorite song = 'Trouble 


$another number 


0 ; 


$your name = $my name; 


($a_mmber == 3) 

($another 一 number == nn ) 

($favorite 一 song == "Trouble") 
($my_name == ， $your 一 name ， ） 

($my_name == ’’ $your 一 name n ) 
($your 一 name == $my 一 name) 

($favorite 一 song == 1 Trouble 1 ) 
($a number > 9) 


true/or false 


true or false 
true) or false 
true or false 
Cjfue or false 
tr§ or false 
trug)or false 




true or 


false) 


o ahd dh empty stv-ihg 
evaluate as c'udl. 

Because *tKosc s'm^lc quotes, 
*tKc dor>di*tioir\ is actually ask'm^ 
i-f stv"nr\5 Bus*tc\r equals 
■tiic t v>o*t 

*tKc value 乙 。扒 * ta’med m 
vav-iable /youv 一朽 arwe. 


/ 

fa—h_bcir is 3, y/hi 匕 h is 

ho 七 thah % 


($favorite 一 food (=^) } hamburger 

S“W be 二二 4 

y/e m*tcy\dcd 
•to be d tom\>av-'isoy\. 


tJiereiare no o 

Dumb Questi 9 ns 


truejor false 


Okay, is a test condition the same thing we used to control while loops in Chapter 3? 


0\C, *tKis ov\ts 

or\ly oy\C C<\ual s\Ojr\ is used i^cv-c, 
\{!s a 乙 tuallY a 於 assiyw 伙 *1 (二夂 
^o*t d ^ompav-isor\ (二二）. 
i 七 tY\ds uf> kem^ *tvuc because 
3 r\y*b^m 3 o*t^CV NULL, 

ov -false yb m*tcv-pvc*tcd by 


It’s exactly the same. And even though we used it to tell us when we had remaining rows of 
query data back in Chapter 3, we can devise more interesting test conditions for while loops by 
using different kinds of comparisons. You’ll see that later in the book. 
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realistic and practical applications 


The logic behind Send Email validation 


Elmer needs to validate the data he gets from the sendemail. html form before 
he sends any emails. In fact, sending the emails should completely hinge on the 
data validation. What we really need PHP to do is make a decision based on the 
validity of the form data received by the sendemail. php script. We need code 
that says, "(f the data is valid, go ahead and send the emails." 

But first we need to grab the form data and store it in a couple of variables: 


$subj ect = $_POST['subj ect'] 
$text = $ POST[ ' elvismail']; 


n o 


M.LkL' Mi k Elvi\ - SL-Eid Em.iW 


This form data is all we need to check and see if there is data in each 
of the form fields. The logic might look something like this: 

IF $ subject contains text AND $body contains text 

THEN send email 

Or we could take the opposite approach and check to see if the form 
fields are both empty, in which case we could display a warning to 
the user: 

IF $ subject is empty AND $body is empty 


巧 r 二:：二岬 ㈣ 






sendemail.html 


THEN echo error message 

Both of these examples have a problem in that their logic requires 
us to make two comparisons in a single if statement. One possible 
solution is to use two if statements... 


— your pencil 


Write two if statements that check to see if both the subject and message 
body of Elmer's Send Email form are empty. Echo a warning message if 
they're empty. 
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isset() and empty() functions 

- fejkarpen your pencil 

Solution 


Write two if statements that check to see if both the subject and message 
body of Elmer's Send Email form are empty. Echo a warning message if 
they're empty. 


丁 ha 七 ’s *b>wo sm^lc quotes, 

i-f (/subjed == 扣 切 士 " 叫 . 


i-f 


By y\CS*tm5 "tv^c se^oy\d Cdho Y ou *fo\rjo*t the email subject a^d body *tc>c*t.<b\r />\ 

i-f s*bs*tcw'C^*t ms'idc i 

七 he *(* iv*st ov\C, Co&t • • 

•,s saY'm^ *tV^a*t 州必七 

be *bruc m orAcc -for i\\t 
ctKo s*ba*tew»ey\ 七 * to … 灼 . 


Ihdchiatioh helps -to show where ihc 
•mhe\r 4 s-blcmch-t cy\As, whev-e 
the outc\r i-P s-tatcmcht tv\ds. 


?W functions for verifying variables 

Using == to check for an empty string works, but there’s a better way that involves 
built-in PHP functions. The isset () function tests to see if a variable exists, which 
means that it’s been assigned a value. The empty () function takes things one 
step further and determines whether a variable contains an empty value, which 
PHP defines as 0, an empty string (’’ or ’▼’▼)，or the values false or NULL. So 
isset () only returns true if a variable has been assigned a value, while empty () 
only returns true if a variable has been set to 0, an empty string, false, or NULL. 

Let’s take a look at how these functions work: 


-v| torrbs •… s a value. 


1 

$vl = 'aloha'; 

fvZ is ah empty s-tv-ihj. 」 ’ 

if (isset($vl)) 



fvl is sc*t) 

i 七 tor\*ta"ms 

a 於 cw'fty S*brnr^. 


fv? 


do«h 七 cxis-fc. 




if (empty($vl)) 

~ ^ 

if (isset($v2)) 
if (empty($v2)) 
if (isset($v3)) 

y 

if (empty($v3)) 


Bo*tK fvl ar>d fvZ avc tohsidcv-cd -to be 

sc*t> *tKou^K o^ly fvl Kas d value- shaded tt\\o 

^ Code is c%ctu*tcd| 


fvl is hoj empty, it 
^OhtaihS text. So -this 
i*P ^ohdrkioh is -false. 





十 7 

because *tV\c stvm”t 

wtaW， s 〜切， 


is ^ohsidcv-cd 
empty cvch -though 
'"t doesh^t exist. 
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realistic and practical applications 


I get it. We can use isset() and empty() to 
validate the $subject and $text form data. 



That's half right. We're really just checking to make sure 
the form data isn't empty，so empty () is what we need. 

The $sub j ect and $text variables are assigned values from the 
$_POST [ ' sub j ect' ] and $_POST [ ▼ elvismail' ] superglobals. If 
you test these variables with isset (), it will always return true regardless 
of whether or not they hold any actual text. In other words, isset () 
doesn’t show you the difference between a blank form field and a filled out 
one. The empty () function checks to see if a variable is actually empty, 
which is what we need for form validation. 


issetO ckecks tliat a 
variable exists and is set. 




tWeiare no o 

Dumb Questions 


So what’s the point of using isset () anyway? 


emptyO ckecks to see il a 
variable lias any contents. 


The isset () function is extremely valuable when you 
need to know if a piece of data exists. For example, you can check 
if a form has been submitted via a POST request by passing the 
isset () function $— POST. This ends up being an extremely 
handy technique, as you find out a little later in the chapter. 


i^harpen your pencil 


Rewrite the two if statements that check to see if both the subject and 
message body of Elmer's Send Email form are empty, but this time, use the 
empty () function instead of == in the test conditions. 
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the! operator 


^Sharpen your pencil 

7 A n 


Rewrite the two if statements that check to see if both the subject and 
message body of Elmer's Send Email form are empty, but this time, use the 
empty () function instead of == in the test conditions. 



A ^all -to cmfbyO 

\rCfequality 

cv*3"toV" ( 二二） •… 七 


>PCVdtO' 


dor\dii*tioir\S. 


i-f (cm^yffsubjcd-t)) { 
i-f { 

cdho -fo\rOjo*t email subject body *tc>^t<b\r / > ) 

} . 

.The \rcst o-f the 匕 ode is . 

} "the sdme as bc-fovc- 





What if we need to only 
take a certain action if a 
form field is not empty? Is 
there a notempty() function? 


ai 


No, but there's an easy way to reverse the logic of any test 
condition... the negation operator. 

We know the test condition that controls an if statement always results in a value 
of true or false. But what if our logic dictates that we need to check for the 
reverse of what a condition gives us? For example, it would be helpful to know if 
Elmer’s form fields are not empty before sending a bunch of emails with the form 
data. Problem is, there is no notempty () function. The solution is the negation 
operator ⑴， which turns true into false, or false into true. So ! empty () 
literally calls the empty () function and reverses its result, like this: 

The NOT opev-a-tov- (I) 

tu\rhs ih-fco -false, \ 
o\r -false ih-to tv-uc. 

if (!empty($subj ect)) { 

} ^ n*is asks, w |s i\\t SiAkjctt 

“IdUo 七 Or, docs *»t V^avc 
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realistic and practical applications 





Fill in the blanks in Elmer’s sendemail .php code so that email only gets sent 
when both $subject and $text are not empty. Use if statements and the 
empty () function. 


on 


M.tkL' Mi* Elvi. ■- Sinid ¥.nu\n 


All my fields need 
to have values. 


O 


o 


==工=二 ㈣ —■ 


f submit") 


<?php 

$from = 'elmer@makemeelvis.com 
$subj ect = $_POST['subj ect']; 
$text = $ POST[* elvismail']; 




sendemail.html 


if 


if 


$dbc = mysqli—connect('data•makemeelvis•com', * elmer ', 'theking *, 'elvis_store *) 

or die('Error connecting to MySQL server . 1 )； 


$query = M SELECT * FROM email—list ，'； 
$result = mysqli—query($dbc, $query) 
or die('Error querying database . 1 )； 


while ($row = mysqli—fetch—array($result)) { 

$to = $row['email']; 

$first_name = $row['first—name']; 

$last_name = $row['last_name']; 

$msg = "Dear $f irst_name $last—name, \n$text ，'； 
mail($to, $subject, $msg, 'From:' . $from); 

echo 'Email sent to ' . $to . '<br / >'; 

} 

mysqli_close($dbc); 


?> 
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sendemail.php — now with validation! 



Fill in the blanks in Elmer’s sendemail .php code so that email only gets sent 
when both $subject and $text are not empty. Use if statements and the 
empty () function. 


on 


M.tkf M\- ElvK - SL-mi Hreuiil 


All my fields need 
to have values. 


O 


o 




BiKiytffwnTiii *； 


The poih"t 

\rcvc\rscs the logid o( 
the CrwptyO -Puh^tioh. 


TiiC C.or\di*t»oir\ 

tV^cdks -bo see 1-f 
/subject is Kjot_cw\p*by- 


f Submit) 



<?php 

$from = 'elmer@makemeelvis.com 
$subj ect = $_POST['subj ect']; 

: text = $_POST['elvismail']; 

if subject)) { 




… i*f hot, good/ /Vow 
yc *to see i-f 

is hO"t Crup'ty. 

Wc Kad *to ov\t '»-(* s-ba-tc^c^-t 
mS -,ac -tKc o-tKc^r *to make 
七 w»s y/ork. TW.S «S tailed 




sendemail.html 


$dbc = mysqli—connect('data•makemeelvis•com', 'elmer', 'theking *, 'elvis_store *) 

or die('Error connecting to MySQL server . 1 )； 


$query = M SELECT * FROM email—list ，'； 
$result = mysqli—query($dbc, $query) 
or die( 1 Error querying database. 1 )； 



while ($row = mysqli—fetch 一 array($result)) { 

$to = $row['email']; 

$first_name = $row['first—name']; 

$last_name = $row['last_name']; 

$msg = "Dear $first_name $last—name, \n$text，' 
mail($to, $subject, $msg, 'From:' . $from); 

echo 'Email sent to ' . $to . '<br />’； 


1( cithcv -Poirirw daia variable is 
empty, oy\c o( 七 he i*f sta 七 eme 灼 is 
v/ill be dhd hohe o-P -the Code 
y/ill \ruir>, y/hidh medhs y\o bldrtk 
email will be seh 七 out — jus 七 y/hat 
v/c v/3v\icd! 


mysqli_close($dbc) ; ^ havc ^ d | c sc M *t^c adtior> 

fav*t o-f \>oi\\ o( *tKc i-f s*ta*tcmc^*b. 
TKc -f ivsi bv-adc tY\ds i\\t nrmev i*f 
s*ta*tcmcr>t ar\A *tKc sedor^d bv-adc 
ey>ds *tKc outer i-f s*ta*tcmcr>*t. 

?> 
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realistic and practical applications 



Tesr DriVq 


See if the empty form field validation works. 

Modify the code in sendemail. php to use if statements that check the form 
field data before sending email messages. Upload the new version of the script to 
your web server and open the sendemail. html page in a web browser. Make 
sure to leave at least one of the form fields blank, and click Submit. 


n n 


\t 


TVic body *tVw 
message cw'fty, 
y/WA makes i\\t 
dala -fail validation. 


Mjfcr Mp f-lviti S^ikcJ Email 


Pflvar#: ForEnf^ef's uae ONLY 

Wnt& and Mnd an 9ma*llo ra 山叩 】iEt members. 

Su&jedoi e^rjii ： 


Hicdt Oev-anul 






^ o — 


M,LkL- twi% Ern-iil 


No Crw 3 il doh-fivrwa-tio^s \rcvcal 
"thai v/as se 此 y/hidh is 

v/hai v/c Bui some k’md 
o-f messaae v/ould be 


rwov-c 


helpful a blank page. 
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cubicle conversation 


What if we had a bunch 
of fields in the form? Would 
we have to nest a bunch of if 
statements to validate them all? 


o 



0^tv\S -Pov-m -p\rorw ed\rliev- ih the 
book is CXdrnpIc o-P how rwoV*C 
*Po\rm -fields \rcsult ih a buhdh of 
r^essy nested i-P s-ta-tcmchts. 

if (!empty($first—name)) { 

if (!empty($last name)) { 


if (!empty($when_it_happened)) { 

if (!empty($how_long)) { 

if (!empty($how many)) { 



Tins 

makes rb iiav-d *to keep 
br^ek tuv-ly Watts. 


Joe ： I think you’re right. If we want to make sure all those fields are not empty, we’ll 
have to nest an if statement for each field. 


Frank: As long as we indent each line of code for each if statement, aren’t we OK? 

Jill: Technically, yes. I mean, the code will certainly work no matter how many if’s we nest, but I’m worried about it 
getting hard to understand with so much nesting. Just matching up curly braces accurately could be a problem. 

Frank: That’s true. I think it’d also be a pain having to indent the action code so far... let’s see, that’s ten form fields, 
giving us ten nested ifs with ten levels of indentation. Even if we just indent each if two spaces, that’s 20 spaces 
before every line of action code. Yuck. 


Joe ： But if we indent with tabs, it cuts that in half — 10 tabs versus 20 spaces isn’t so bad. 

Jill: Guys, the issue isn’t really about the specific code used to indent the nested if’s. It’s just not a good coding 
practice to nest if statements so deep. Think about it like this — we’re really talking about one logical test condition, 
“are all our form fields non-empty?” The problem is, that test condition involves ten different pieces of data, causing 
us to have to break it into ten separate if statements. 

Frank: Ah, I see. So what we need is a way to test all ten pieces of form data in a single test condition, right? 

Jill: Yup. 

Joe ： Then we could write one big test condition that checks all the form fields at once. Awesome! 

Jill: Yeah, but we’re still missing the piece of the puzzle that lets us combine multiple comparisons within 
a single test condition... 
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realistic and practical applications 


Test multiple conditions with ANP and OR 


You can build a test condition for an if statement with multiple checks by 
connecting them with a logical operator. Let’s look at how it works with two 


familiar conditions, ! empty ($subj ect) and ! empty ($text) . This first 
example involves two expressions joined by the logical AND operator, which is 
coded using 


f a Ppl'« ohly -to -the cr^p-tyO -Puhdtioh. 


if ((!empty($subj ect)) && (!empty($text))) { 



Tiiis -tcs*t doy>dijbior\ is only *tv"uc i-f bo*th 
/subject ANP art v\oi 


PHP logic 

operators make 
it possible to 
structure more 
elegant ii 
statements. 


The AND operator takes two true/false values and gives you true only if they 
are both true; otherwise the result is false. So in this case both form fields must 
be non-empty in order for the test condition to be true and the action code for the 
if statement to run. 

The logical OR operator, coded as | |, is similar to AND except that it results in 
true if either of the true/false values is true. Here’s an example: 

if ((!empty($subj ect)) || (!empty($text))) { 

丁 Vis ^ohdr^ioh is "tvuc i-P Crthcv* 

fsubje^t OR ftex-t olv-c hot empty. 

So the action code for this if statement is executed if either one of the form 


Logical AND 
is cocted as &&， 
wkile logical OR 
is coded as It 

, / 

Tha 七 s ho 七 "the hurwbcir eleveh ； 
it’s two vc\rtidal pipes || 一 just 
above backslash (\) Oh youv 

keyboard. 


fields is not empty. Things get even more interesting if you want to isolate one 

form field as being empty but the other having data, like this: f 

fsub\cd*t mus*t be 

I / 七€%七 mus*t be Y\OY\-trr\^bf *foV 

- 〆 i\{\s itsi *to be iv-uc- 


if (empty($subj ect) && (!empty($text)) 


Since this test condition uses AND, both expressions inside of the test condition 
must be true in order for the action code to be run. This means the Subject 
form field must be empty, but the Body field must have data. You can reverse this 
check by moving the negation operator ⑴ to the other empty () function: 

if ( ( ! empty ($subject) ) && empty ($text) ) { 丁十 ._ s "brue ohly i-f fsubject 

^_■iWt empty but jit%i is. 

The AND (&&) and OR (| |) logical operators make it possible to structure much 
more powerful test conditions that would otherwise require additional, often messy, 
if statements. 
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eliminate the nested if statements 



E%eftci$e 


Rewrite the highlighted sections of the sendemail .php script so that it uses 
logical operators in a single if test condition instead of nested if statements. 


<?php 

$from = 'elmer@makemeelvis.com *; 


$subj ect = $_POST['subj ect']; 
$text = $_POST[* elvismail']; 


if (!empty($subj ect)) { 

if ( 丨 empty($text)) { 



a\rc ou\r nested i-P s-tatcrwChts. 
Rewrite them a s'm^le \( 
staterwCht with lo^i^dl opcv-a*tov*s. 


$dbc = mysqli—connect ('data .makemeelvis • com' , 1 elmer 1 , ' theking ' ' elvis_store ') 

or die('Error connecting to MySQL server.'); 

$query = "SELECT * FROM email—list"; 

$result = mysqli—query($dbc, $query) 
or die('Error querying database .')； 

while ($row = mysqli—fetch—array($result)) { 

$to = $row['email']; 

$first_name = $row[ 1 first_name *]; 

$last_name = $row['last_name *]; 

$msg = "Dear $first_name $last—name,\n$text n ; 
mail($to, $subject, $msg, 'From:' . $from); 

echo 'Email sent to ' . $to . '<br / >'; 

} 

mysqli_close($dbc); 

} TV^csc bv-a^cs dose 七 

*t>wo i-f s*ta 七 


?> 
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realistic and practical applications 




Tqst DriVq 


Make sure the logical operators in the Send Email script do 
the same job as the nested if statements. 

Modify the code in sendemail. php to use a single if statement that takes 
advantage of logical operators to check the form field data before sending email 
messages. Double-check the exercise solution on the following page if you aren’t 
sure about the changes to make. 

Upload the new version of the script to your web server and open the 
sendemail. html page in a web browser. Make sure to leave at least one of 
the form fields blank, and click Submit. Does the script still prevent the email 
messages from being sent when a form field is blank? 


ihereictre no 。 

Dumb Questions 


Does it matter what order you put two 
conditions joined by && or | | in an if statement? 

Yes. The reason is because these two operators 
are short-circuited whenever possible. What 
this means is that if the first operand is enough to 
determine the outcome of the expression, the second 
operand is ignored. As an example, if the first operand 
in an AND expression is false, this is enough to 
cause the expression to be false regardless of the 
second operand, so the second operand is ignored. 

The same rule applies when the first operand in an OR 
expression is true. 


I've seen PHP code that uses and and or 
instead of && and | |. How do those work? 

They’re virtually the same as & & and | | ■ 
There’s a slight difference in how they’re evaluated 
relative to other operators, but if you're careful to use 
parentheses to make your test conditions clear, then 
there’s essentially no difference. 
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sendemail.php — now without nested if statements! 



Rewrite the highlighted sections of the sendemail.php script so that it uses 
logical operators in a single if test condition instead of nested if statements. 


<?php 

$from = 'elmer@makemeelvis.com 
$subj ect = $_POST['subj ect']; 
$text = $ POST[* elvismail']; 


or NOT »s used 

•to eMtck -for - fields. 


~ ( ! empty ($oubjoct)) 

■4^~( 1 empty ($toxt)) 


.((! empirefW.b jc.d)). .&&. 



^ ^ MV -to dhcdk both 

^OhditiohS ih OhC i-f S-tatcmCht. 

Rcmcmbcv-) && >s \\o>n you actually 
spc6-fy tV^c ANP \oyca\ ofcvaW- 

|| $dbc = mysqli 一 connect ('data .makemeelvis • com' , ' elmer ' , 'theking', 

or die('Error connecting to MySQL server.'); 

$query = "SELECT * FROM email 一 list"; 

$result = mysqli—query($dbc, $query) 
or die('Error querying database .')； 


'elvis store') 


while ($row = mysqli—fetch—array($result)) - 
$to = $row['email']; 

$first_name = $row['first—name']; 

$last_name = $row['last_name']; 

$msg = "Dear $first_name $last_name,\n$text’ 
mail($to, $subj ect, $msg, 'From: ' . $from); 

echo 'Email sent to ' . $to . '<br / >'; 


mysqli close($dbc); 


All o-f -the Code ihsidc the i-f 
s-ta-tcmch-t should be Uh-'mdeh-ted 
° hC s,h ^ how \rcsidcs ih a 



Ouv s'mjlc i-P s*ta*tcm ⑼七 mca^s wc 

or>ly Y\ttd oY\t dlos'm^ tuvly bvadc. 


?> 
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realistic and practical applications 


Form users need feedback 


Our sendemail. php code does a great job of validating the form data so that 
no mail gets sent out if either the Subject or Body fields are left blank. But when 
the validation fails, and no emails are sent out, the script doesn’t tell Elmer what 
happened. He just gets a blank web page. 


£1 你饮 sees -this Page wheh 

he submits -the a^d 
he has ho due why/ 


ft n r> 


M,Lkf Mh* EJvi% Em.ul 



The problem is that our code only reacts to a successful validation, in 
which case it sends the email messages. But if the if statement turns out 
being false (invalid form data), the code doesn’t do anything, leaving 
Elmer in the dark about whether any emails were sent or what went wrong. 
Here’s the abbreviated script code, which reveals the blank page problem: 

<?php 

$from = 'elmer@makemeelvis.com 1 ; 

$subj ect = $_POST['subj ect']; 

$text = $ POST[* elvismail']; 


if ((!empty($subj ect)) && (!empty($text))) { 

$dbc = mysqli connect ( 1 data . makemeelvis . com ** elmer 1 , ' theking * , ' elvis store') 




mysqli close($dbc); 


?> 


a*t all i-f i-f s*ta*te 你⑶七 -fails 

-to v-ur> ad*t'ior> Code, wKitK is wKy a blank page 
is "tKcv-c is *fovr« da 七 a. 


We need to let Elmer know that there was a problem, ideally telling him 
what form fields were blank so that he can try entering the message again. 
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the else clause 



Not a problem. Just put an echo 
statement after the closing 
brace of the if statement. 


That won't work because code after the if statement 
will always be executed. 

Placing the echo statement after the if statement just means it runs after 
the if statement, but it always runs regardless of the outcome of the if. 
That’s not what we need. We need the echo statement to show an error 
message only if the test condition of the if statement is false. You could 
express our logic as this: 

IF subject contains text AND body contains text 


THEN send email 



X ELSE echo 


error message 


The if statement offers an optional else clause that runs code in the event 
that the test condition is false. So our error message echo code can go in 
an else clause, in which case it only gets run when one of the form fields is 
left empty. Just place the word else after the if statement, and then stick 
the action code for it inside curly braces: 


T\\t else dlausc starbs 

，吵七 a-f-bev- 

tuv-ly bv-adc 

•for tU s*ba*bcmcir\*b. 




if ((!empty($subject)) && ( 丨 empty($text))) 

TViis is a placeholder 
七 ^ code that sc^ds tVic 

emdll messages. 


else 


.J 

Chdloscd ih du\rly bv-adcs. 


echo 'You forgot the email subject and/or body text.<br 

T\\t todt \\trt OY\hf \ruy> \( 
i-f s*ta*tcr«cr>*t 七 uvr>s ou 七 -false* 


Tke else clause executes code wken an il test conctition is false. 
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realistic and practical applications 


, c 

E 從 ttciSe 


Below is new code for Elmer’s sendemail .php script that uses if statements and else 
clauses to provide feedback, but some of the code has gotten misplaced. Use the magnets to 
replace the missing code. 


<?php 

$from = * elmer@makemeelvis.com'; 
$subj ect = $_POST['subj ect']; 
$text = $_POST [' elvismail*]; 


//We know both $subject AND $text are blank 


// $subject is empty 


// Everything is fine, send email 


// $text is empty I 


else { 


//We know we are missing $subj ect OR $text - let's find out which one 


echo 'You forgot the email subj ect.<br / >'; 

} 

else { 


echo 'You forgot the email body text.<br / >'; 


else { 


?> 


while ($row = mysqli—fetch—array($result)) { 

$to = $row['email']; 

$first_name = $row['first—name']; 

$last_name = $row[ 1 last_name *]; 

$msg = "Dear $first_name $last—name, \n$text ; 


mail ($to r $subj ect, $msg, ' From : ' . $from); 

echo 'Email sent to * . $to . * <br / >'; 




empty($text) 



empty($su 

bject) | 

empty($text) 



J 

empty($subiect) I 

empty($subject) 
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exercise solution 




^ m 

E^itctSe 

SoLytlOH 


Below is new code for Elmer's sendemail .php script that uses if statements and else 
clauses to provide feedback, but some of the code has fallen off. Use the magnets to replace the 
missing code. 


<?php 

$from = 'elmer@makemeelvis.com 
$subj ect = $_POST['subj ect']; 
$text = $ POST['elvismail']; 



The ou-tcir dhcdks see both the 

subject ahd body avc empty. |-f h oi thcv-c av-c ohly 
„ other possible scenes ： both av-c filled ih, 

七 k subject is “ 3 , o\r the body text is missiq. 


if 


獻 empty($subject) empty ($teTt7 


//We know both $subject AND $text are blank 




else 


lf 1 

r 

I empty($subject) I 

CIj 

| empty($text) | 

[J 

1 ^ \ 


//We know we are missing 


OR $text - let's find out which one 


(if ] ( empty ($subject) 

ELD . 

// $subject is empty 



echo 'You forgot the email subj ect.<br / > 


else 


// $text is empty 


echo 'You forgot the email body text.<br / > 


else 


// Everything is fine, send email 


while ($row = mysqli—fetch 一 array($result)) { 

$to = $row['email']; 

$first—name = $row['first_name']; 

$last_name = $row['last_name']; 

$msg = "Dear $first—name $last_name,\n$text 
mail($to, $subject, $msg, 'From : ' . $from); 

echo 'Email sent to ' . $to . '<br />'; 

} 

mysqli close($dbc); 



/\七 fo'mt we’ve 
七 Wo— all 七 he oi\\t>r 
possibilities, so wc k^o>M 七七 
both -fovm -fields iiavc values. 


?> 
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realistic and practical applications 


All those nested if's and else's are making 
the script hard to follow. I'd hate to ever 
have to work on that script! It needs to 
be simplified before someone gets hurt. 


It's always a good idea to simplify 
code whenever possible, especially 
nested code that gets too deep. 

Too many else clauses with nested if statements 
can make your code hard to follow. Maybe that 
wouldn’t matter if we never had to look at it again, 
but that’s unlikely. If we ever needed to change 
the form and add another field, validating it would 
be trickier than it needed to be because it would 
be hard to read the code and figure out where the 
changes need to go. 
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clean the if code 



cleanex 

BE 

Your job is to play IF code and clean up the 
messy nested IFs and ELSE's. Rewrite the 
code to ^et rid of lire nestii^, but make 

sure it still wopfe correctly. 


You ho*t 
yyttd av\y clscs/ 



if (empty($subject) && empty($text)) { 

echo 1 You forgot the email subj ect and body text.<br / >'; 


} else { 

if (empty($subj ect) | | empty($text)) { 
if (empty($subj ect) { 

echo 'You forgot the email subj ect.<br / > 1 ; 

} else { 

echo * You forgot the email body text.<br / >'; 


Rcv/vrbc 七 W，s toAt SO 
铣 a 七 •• 七心’七 ^ cd * 


} else { 

// Everything is fine. send the email 
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realistic and practical applications 



Tqst DriVq 


Try out the cleaner if code to make sure it works as expected. 

Modify the code in sendemail. php to use if statements similar to those you just 
wrote that simplify the if nesting. Flip to the solution on the following page if you 
aren’t sure about the changes to make. 

Upload the new version of the script to your web server and open the 

sendemail. html page in a web browser. Experiment with the script by submitting 

the form with form fields both blank and filled. Does the script display error messages 


ihereictre no 。 

Dumb Questi9ns 


Are a few levels of nesting really that 
big of a deal? 

It depends. If you’re writing some code 
that only you will ever see and you think you’ll 
remember exactly what every next line does in 
six months time when you come back to it to 
tweak it, nest away. 

If on the other hand, you’d like to keep your 
code as clean and logical as possible, you can 
use any of the several logic operators you've 
met so far. 


How does else work? 

In an if. . . else statement, the 
else matches anything and everything that 
doesn't match the if part. 

Hmm. Okay. Does that mean I 
could nest if and else in existing 
if. . . else statements? 

Well, you could, but with all that nesting, 
things would get complex pretty fast and we’re 
trying to avoid nesting here! 
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the cleaned-up if code 


BE §©]iig©ti 

Your job is to play IF code and clean up ike 
messy nested IFs and ELSIE’S. ^Rewrite 
tire code to ^et rid of tire nesting, but make 

sure it still worlds correctly. 



Hcv-C) V/cVc *tcst'»^5 

*to see »*f bo*t)i *tV^c 
fsukjct*t and f*te 乂七 
variables av-c c^yiy- 


if (empty($subject) && empty($text)) { 

echo 'You forgot the email subj ect and body text.<br / > 
} else { 

if (empty($subj ect) | | empty($text)) { 
if (empty($subj ect) { 

echo 'You forgot the email subj ect.<br / >'; 

} else { 

echo 'You forgot the email body text.<br / >'; 

} 

} else { 

// Everything is fine. send the email 


^- ^ i-f /subject) ScSc { 

-fov-^o-t *tiic email subject By\A body /> \ 

} , , . )•. 7 . This / odc 匕 —ks 铋 se(! / /subject is 

to 娘 is hoi 

……… |“ e 仏 (㈣ to isolai, 

" i\\c sub\cd*t/body 

er>d up ar> t^bra (( 


tteve v/c v-c 




*tc^t 

ccdbadk 


i-f && { V/C douia er>a uf 叫 a? e%tva 

i , message- Same tKm^ aocs W Y\ot c^pty 

.. .^h?. .Y?. u . ..… /sutjed-t rte 此 



, .•.•f. ⑽丁 op 〒 *to\r ") dhcdks -fov- 

f\Y\d iicv-c, >wcVc .. c 丄 L . . c. . i ， .i fsubjedt av\d ftext bcihft hoh-empty. 

七七 3 *t° sec i-f fey.cy*y.th^ 9 ..•?. • 女 ! ds^ri.tbc..c ㈣ I. J r • 

^ci*tiicv fsubjet-b 歐 .}•. 

is cw'fty- 
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realistic and practical applications 



rm all shook up. When I forgot to 

enter the subject in the form, I got this J 

page. But then, when I clicked the Back ' 

button, I had to retype the whole message. J j^ is ^> d ae -tells 



Validation in Elmer's Send Email script is working but 
it could be a lot more helpful. 

When the sendemail. php script detects missing form data, it displays 
a message that information is missing, but that’s it. There’s no link back 
to the original form, for example. And even worse, when Elmer navigates 
back to the original form, the information he did enter is no longer there. 
He has to retype both the subject and body of his email message. 





What would you do to improve the error handling 
of the Send Email script to make it more helpful?. 
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regenerating the HTML form code 



It would be cool to show the form 
along with the error message. Couldn’t 
we just echo the form if the email 
subject and body text are empty? 


Displaying the form would definitely be helpful, as it would 
save Elmer having to navigate back in his browser. 

So in addition to echoing an error message when one of the form fields is empty, 
we also need to regenerate the HTML form code from PHP by echoing it to the 
browser. This code shows that PHP is capable of generating some fairly complex 
HTML code: 



TViis PttP co&t entire HTML 


echo '<form method= M post" action="sendemail.php">'; 

echo 1 <label f or= M sub j ect M >Sub j ect of email : </labelxbr / > 1 ; 

echo ' <input id 二 ,, sub j ect" name=" sub j ect" type= M text"'. 

'size= M 30" / ><br />，； 

echo * <label for= M elvismail">Body of email : </labelxbr / > * ; 
echo ' <textarea id= M elvismail" name="elvismail" rows = M 8" * . 


TV^'iS mdcir\*t3*t>or\ is\r\ *t 
but rt Vicl\>s bo see - 


cols= M 40 M ></textareaxbr 


echo 1 <input type="submit' 


echo '</form>'; 


/>，； 

name= M submit" value="Submit" 

Sm 匕 e HTML Code is middled 

with double Quotes, i-fc^s easier _ 

■to use single Quotes -to suv-v-ouhd 
st^rihjs o\ HT/WL CoAt ih PttP. 



If you’re thinking this code looks a bit chaotic, that’s because it is. Just because 
you can do something in PHP doesn’t mean you should. In this case, the added 
complexity of echoing all that HTML code is a problem. This is a big enough chunk 
of code that generating it via PHP with echo is really not a good option... 
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realistic and practical applications 


Ease iw awd out of PHP as needed 


It’s sometimes easy to forget that a PHP script is really just an HTML web page that 
is capable of holding PHP code. Any code in a PHP script that isn’t enclosed by 
the <?php and ?> tags is assumed to be HTML. This means you can close a block 
of PHP code and revert to HTML as needed, and then pick back up with a new 
block of PHP code. This is an extremely handy technique for outputting a chunk of 
HTML code that is unwieldy to generate through PHP echo statements... like our 
Send Email form code. 


TVis ?> *ba5 

closes *bV^c PttP 

blo^k, 

us *to HTML. 


<?php 

$from = 1 elmer@makemeelvis.com 
$subj ect = $_POST['subj ect']; 
$text = $ POST[ ' elvismail']; 


if (empty($subj ect) && empty($text)) { 

//We know both $subj ect AND $text are blank 

echo 1 You forgot the email subj ect and body text.<br / > 


<form method= M post n action= M sendemail.php"> 

<label for= M subj ect M >Subj ect of email : </labelxbr / > 
<input id="subj ect" name="subj ect" type= M text" size="30 
<label for= M elvismail">Body of email : </labelxbr / > 
<textarea id= M elvismail" name="elvismail" rows= M 8" cols: 
<input type="submit" name= M submit" value="Submit" / > 


</form> 


<?ph 


The <?php -tag siar{s a PttP blod. Siw 

weVe s-till inside the i-P wc have b> 

dose i\\t \( s-b-tcmch-t bc-fov-c 匕 

if (empty($subj ect) && (!empty($text))) { 

echo * You forgot the email subj ect.<br / > 


V 


You can close 
and open blocks 

ol PHP cocte to 

output ckunks ol 

HTML code in a 
PHP script. 

The -fov-rw is Coded ds ir)o\rrv\dl 
HTML srndc "this CoAt is 
f outside o( PttP -tags. 



/ xbr / > 


40"></textareaxbr / > 


Smdc >wcVc still msidc i-P 

HTML todt is or^ly ou*tfu*t 
i-f bo*th -fovm -fields avc 


if ((!empty($subject)) && empty($text)) { 

echo * You forgot the email body text.<br / > 

} 


if ((!empty($subj ect)) && (!empty($text))) 

// Code to send the email 


?> 


Write down anything you think might be limiting about this 
code. How would you fix it? 
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avoiding duplicate code with a flag 


Use a flag to avoid duplicate code 

The problem with the previous code is that it will have to drop out of PHP and 
duplicate the form code in three different places (once for each validation error). We 
can use a true/false variable known as a flag to keep track of whether or not 
we need to output the form. Let’s call it $output_f orm. Then we can check the 
variable later in the code and display the form if the variable is true. 


So we need to start out the script with $output_f orm set to false, and then 
only change it to true if a form field is empty and we need to show the form: 

^ Scttihg /output 一 * Povm "to -false ih'rtially 

Initialize $output form to false the / W ° h ^ ^ s ^ OWh Uh lcss 

— tnc\rc is a validation problem that causes 

its value "to 


These cv-vov- 
messd^es 
av-c slijhily 
di*^fe\reirrt 
•mdita 七 e the 
spedi-fid -Pov-rw 
-ficld(s) -that 

avc empiy. 



IF Subject is empty AND Body is empty 

THEN echo error message, set $output_f orm to true 

_ ^ 


IF Subject is empty AND Body is NOT empty 



THEN echo error message, set $output form to true 


|*f a -foVm -field is 
blar^k, *tKc 

vav-idble is sc*t *to *tv-uc, 
bu 七 *tKc *foVm •isy/ 七 
displayed … ye 七！ 


Subject is NOT empty AND Body is empty 


echo error message, set $output form to true 


|-f both -fov-m 
-f ields tiicdk ou*t 
y/i 七 h ddi{^) Jo 
dliedd a^d send 
七 he emails. 



IF Subject is NOT empty AND Body is NOT empty 
THEN send emails 



IF $output_form is true 

THEN show form Las 七 dhcdk -the fou-tpu-t_-fov-r» 

vav-iablc -fco see i-f -the -Pov-m needs 
■to be displayed. Ei-thcv- v/ay, wc only 

ov\t dopy o( -the HT/1/1L Code. 


194 


Chapter 4 





realistic and practical applications 


Code the HTML form only once 


Turning the new validation logic into PHP code involves creating and initializing 
the new $output_f orm variable, and then making sure to set it throughout the 
validation code. Most important is the new if statement at the end of the code that 
only displays the form if $output_f orm is set to true. 


<?php 

$from = 'elmer@makemeelvis.com'; 
$subj ect = $_POST['subj ect']; 
$text = $_POST['elvismail']; 
$output_form = false; 


ou\r hew 

vairiablc hcv-c ayyd sei 

1 七 "to -false ihi*tia||y. 


By making HTML 

code cfepeiictent on 
an IF statement, 


we avoid ctuplicate 
code in our script* 


if (empty($subj ect) && empty($text)) { 

// We know both $subj ect AND $text are blank 
echo 'You forgot the email subj ect and body text.<br / > 
$output form = true; 



if (empty($subj ect) && (!empty($text))) { 


Se 七如 vav-'iaklc *to *tv-uc '»-(* 
fsub\ctt ar.a art so 

is shoym. 


echo 'You forgot the email subj ect.<br />'; 


$output—form = true; 




Also set the variable -to 
"brue i^p fsubject is empty. 


if ((!empty($subject)) && empty($text)) { 

echo 'You forgot the email body text.<br / >'; 
$output_form = true; ^ st i variable *to 

} br\At i-f / 七•七 is 


if ((!empty($subj ect)) && (!empty($text))) { 

// Code to send the email 


1 ^ 

if ($output 一 form) { 

?> 


TK'is i-f s*ta*tem ⑶七 tKcdks *tKc 
fou*tfu*t_fovm vav'iablc 
displays 七 he -fovm i-f *i*t is *tv-uc- 



dropped out o( PHP todc, but 
Ay 七 Ug pho\r the dos\^ } is still 

^ohsidc^d o( i-P a^ioh - m iWis 

^ HTML eode k ^ 


<form method: 

"post" action="sendemail.php"> 



<label 

f or= 

"subj ect">Subj ect of email : </labelxbr 

/> 


<input 

id=" 

subj ect" name="subj ect" type= M text" size="30" 

/ xbr /> 

<label 

f or= 

"elvismail">Body of email : </labelxbr 

/> 


<textarea id="elvismail" name= M elvismail" rows="8 

"cols= 

"40"></textareaxbr / > 

<input 

type 

= M submit" name="submit" value="Submit" 

/> 


</form> 






<?php 

} 

?> 


Po^*t *to jump 

badk m*to PttP toAt 3r\d 
tlosc i-f s*ta*tcm ⑼ *t. 


k T^c WTML toAt ohly appeav-s oy\U s\ut 

wcvc all loaid 4v- displaying 

it a smglc vaHablc, fou 七 pu 七一不饮州 . 


you are here ► 
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the form data still disappears 


The new form is better, but I still 
have to retype the fields I had typed 
in correctly, which is really annoying. 



HTML alone can't preserve form data. 

When Elmer submits the Send Email form with an empty field, the 
sendemail. php script catches the error and generates a new form. But the 
new form is pure HTML code, which can’t possibly know anything about any 
data Elmer might have entered earlier. So we’re generating a clean new form as 
part of the validation, which is wiping out any data Elmer might have entered. 


Povw' dd'td 七 ha 七 
timer eyrteved. 


SuWi 七 ! 


This c\r\ro\r messolje lets 
Blrtncv khOW he Ic-ft a 
-Pov-rw -field Crwpty. 




Submit 


Elmev" d 匕匕 ideirtdlly 

Ic-Pt this -field bldhk. 



sendemail.html 


4 . 


All the -fields 
av-C r\OY/ empty 
because *this is a 
siVmy v\tyj -Pov-m. 



sendemail.php 


-fo\rrh is submitted 

"to the sehdem^il pkp 
script whch BUcv didks 
"the Submit but-fcoh. 


Ack. We can’t get around the fact that a new form will have to be generated in 
the PHP script. But we need a way to remember any data Elmer might have 
already entered, and plug it back into the new form so that Elmer can focus 
solely on filling out the form field that he accidentally left empty... 


196 Chapter 4 




















realistic and practical applications 



Draw what Elmer's form should look like after he submits it with only the 
first form field filled out. Then write down how you think each of the two 
files (HTML and PHP) should be altered to carry out this new functionality. 





Submit 




sendemail.php 



sendemail.html 


you are here ► 
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make the form “sticky” 



Draw what Elmer's form should look like after he submits it with only the 
first form field filled out. Then write down how you think each of the two 
files (HTML and PHP) should be altered to carry out this new functionality. 


TKc cv-v-ov- 眯 essay 



… but the s^v-ipt 

\rcmcrhbc\rs daia that 

ihSCV-ts 

•_ 七 bddk "the *Po\riin. 



sendemail.php sendemail.html 


Xh?. PttP -(xikes pyc\r /the j.ob o( displaymj 
the bo*th .bc-fo\rc submissiori. f[Y\d 

si^c s^\rip-t has .i?. 和 y 

has bcc»?. 印 ! 七 . 《扑 .plv^ .ih?. badk i^-to 

the .'"t A s . .3C^C\ra-tcd ; This solves Elmers 

pyobjem of hay'mj -to ^o\rm dol^ hc ； s 

alrcadly -filled out 


if .V^C. dispjay *t))C ^o\rm C^*ti\rcjy. }y) ."th?. .PUP.^lpt. 
v/c 《 a” do av/ay yj\{\) the .ttT/y)L pa^c.by Ic-ttmj. 
the PttP s^\ript bo-th shoy/ the -foy ； r»\ a^d fy-odcss it 

In dpmg. so, -the. PttP sd\ript dd^ addess ay\d usc.ainiy. 

Ab{^ c^tc\rcd i)r\*b> *tiiC is impossibjc 

pure ttT/VlL CoAt ： 
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realistic and practical applications 


A form that references itself 


How can it be possible to remove sendemail. html from the Send Email form 
equation? The answer is that we’re not actually eliminating any HTML code, 
we’re just moving it to the PHP script. This is made possible by the fact that a PHP 
script can contain HTML code just like a normal web page. So we can structure 
our script so that it not only processes the form on submission but also displays the 
form initially, which is all sendemail. html was doing. 

The key to the sendemail. php script being able to fill the role left by 
sendemail. html is the form action. Since the script itself now contains the 
HTML form, the form action leads back to the script... a self-referencing form. 


An HTML loriti 

tkat is part oi 

tke PHP script 
tkat processes it 


VVe y\o y\ccd sendemail- 

iascvs d»v"ct*tlv *b> 

七 ^ PttP *to use Wm. 




丁 he data’s "to 

七 he sdvip 七， pvod-csscs 

it ahd displays -the -Pov-m 
bu 七 "this "tirwc rt \rcrwcirhbc\rs 
^Iv-cady 



is known as sell- 
relerencingf. 


sendemail.php 


The s^ripi mrtially shows ihc -fov-r 
and p\rodcsscs i*t when _七 is 
submi-tied. P\rodcss*mj -the -fov-m 
involves ciihc\r sendmg emails or 

displaymj "the -fov-m wrth 如 

cv*\ro\r messdae- 


To understand what’s going on here, think about the first time Elmer visits the page 
(script). An empty form is generated as HTML code and displayed. Elmer fills out a 
field of the form and clicks Submit. The script processes its own form, and displays 
an error message if any data’s missing. More importantly, the script displays the form 
again, but this time it includes any data Elmer has already entered. When a form’s 
smart enough to remember data entered into it in prior submissions, it’s known as a 
sticky form... the data sticks to it! 


Sticky iorms 


remember tke data 
tke user kas already 
correctly entered. 





How do you think we can tweak Elmer’s 
application to make the form fields sticky? 


you are here ► 
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make the form action self-referencing 


Point the form action at the script 

As we’ve seen several times, the action attribute of the <f orm> tag is 
what connects a form to a PHP script that processes it. Setting the action 
of Elmer’s form to sendemail. php works just fine in allowing it to 
process itself, which is the first step toward form stickiness. In fact, the 
form already has its action attribute set to the script: 


yhe a^tioh attvibutc o( the <-Po\rrw> -tag a 

^ 铋七 he that Presses \i, this dasc the 

^ sarwC schdcmail.php Sd\ript -that holds the -fov-m. 


<form action= M sendemail.php" method= n post"> 

^ - V ； 

This is a s*ta 灼 davd <-fovm> _ ) 


happen 

-rovm d< 


-fco use POST *to submi 七七 he 
da*ta *to *tV>c sdvif 七 . 


This code works, assuming you don’t ever rename the script and forget 
to update the code. But there’s a better way that works no matter what 
because it doesn’t rely on a specific script filename. It’s the built-in PHP 
superglobal variable $_SERVER [ ' PHP_SELF ' ], which stores the name 
of the current script. You can replace the script URL in the form action to 
$_SERVER [ 1 PHP_SELF 1 ], and not ever have to worry about updating 
anything if you ever need to rename the script. 


The only catch is that $_SERVER [ ' PHP_SELF , ] is PHP code, which 
means you have to echo its value so that it is output as part of the HTML 


code, like this: 



Instead 如 一 e <^ 。价 

y/c C^Y\ tell I*t bo itscl-f by usm^ the 

j SER\/tRrpttP_StLF3 su^^lobal. 

* 


<form action= n <?php echo $ SERVER['PHP SELF 1 ]; ?>" method="post"> 


Granted, using $_SERVER [ ' PHP_SELF ' ] instead of the 
script name isn’t an earth shattering improvement but it’s one 
of the many little things you can do to make your scripts easier 
to maintain over time. 

stores away tke name oi 
tke current script* 


令一 SEHVERTPHP 一 SELF’] 
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realistic and practical applications 



Tost DriVq 


Try out the new self-referencing script with improved form 
validation logic. 

Modify the code in sendemail. php to use the $output_f orm variable to 
selectively display the form as shown a few pages back. Also change the action 
attribute of the <f orm> tag so that the form is self-referencing. 

You no longer need the sendemail. html page on your web server, so feel free 
to delete it. Then upload the new version of the sendemail. php script to your 
web server and open the script in a web browser. How does it look? 


Po\r some \rcasoh the 

message cveh though the 

•PoVrw CVCh bcCh 

submitted... hot good 




MjSsv Mp Elvis St-ifctJ 


v PrtvaEfl ： For Qmartt use ONLY 

Wntfl 1 afld Mnd an amail Id mailing IlBt rn®i^ibi | rti« 

forgot th* friTMil subjficl arwf body / 



No*t only tViat but 

•rt still IS〆 七 st^ky- 
W!c still Viavc some 
y/ov~k *to dof 





Pi\rs 七 things -fiv-st - v/dl yt "to 
ihe siidky s-tu-P-P *m a 



Write down why you think the script is displaying an error 
message the first time the form is shown: 


you are here ► 
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check for $_POS T[ f submit 1 ] 


Check to see if the form has been submitted 

The problem is that the script can’t distinguish between the form being displayed 
for the first time and it being submitted with incomplete data. So the script 
reports missing data the very first time the form is displayed, which is confusing. 
The question is, how can we check to see if the form is being submitted? If we 
know that, we can make sure we only validate data on a submission. 


Remember how, when a form is submitted using the POST method, its data is 
stored away in the $— POST array? If the form hasn’t been submitted, then the 
$— POST array isn’t filled with any data. Or to put it another way, the $_POST 
array hasn’t been set. Any guess what function we could call to see if the 
$—POST array’s been set? 


Tk issc-to cMtcks see 

\( a vav-iablc lias be ⑼ set 

if (isset($ POST['submit'])) 


丁 his must -the of the 

<i 呷 ul> tag 4\f youv- Submit buWoh. 

{ 


Code m iicv-c >m»II o\r\ly 

七 <po\rm’S bcc\r\ subw'i't'tcd- 


Since every form has a Submit button, an easy way to check to see if a form has 
been submitted is to see if there’s $— POST data for the Submit button. The data’s 
just the label on the button, which isn’t important. What’s important is simply the 
existence of $— POST [’ submit ▼] ， which tells us that the form has been submitted. 
Just make sure that ' submit' matches up with the id attribute of the Submit 
button in the form code. 


Tke 令一 POST 


supergflotal 
allows us to 
ckeck and see ii 
a lorm kas teen 
submitted. 


tKereiare no o 

Dumb Questions 


How does knowing if the form was submitted stop us from 
accidentally displaying validation error messages? 

The reason the error messages are being shown incorrectly 
is because the script doesn't distinguish between the form being 
submitted vs. being displayed for the first time. So we need a way 
to tell if this is the first time the form is being shown, in which case 
empty form fields are perfectly fine—it's not an error. We should only 
validate the form fields if the form’s been submitted, so being able to 
detect a form submission is very important. 


So why don't we check to see if real form data’s set, 
instead of the Submit button? 

It would work perfectly fine to check 
$_POST [ ▼ sub j ect' ] or $_POST [ ' elvismail'], 
but only for this particular form. Since every form has a Submit 
button that can be consistently named submit, checking $_ 
POST [ 1 submit' ] gives you a reliable way to check for form 
submission in all of our scripts. 


202 Chapter 4 


realistic and practical applications 


T]ie Etna!] ^crift Up C] 

<?php [ 

$from = 'elmer@makemeelvis.com 
$subject = $_POST['subject']; 

$text = $_POST['elvismail']; 

$output_form = false; 

if (empty($subj ect) && empty($text)) { 

// We know both $subj ect AND $text are blank 
echo 'You forgot the email subj ect and body text.<br / >'; 
$output_form = true; 

} — 

if (empty($subj ect) && (!empty($text))) { 

echo 'You forgot the email subj ect.<br />'; 

$output_form = true; 


if (isset($_POST['submit'])) { 






if ((!empty($subject)) && empty($text)) { 

echo 'You forgot the email body text.<br / >'; 
$output_form = true; 


if ((!empty($subj ect)) && (!empty($text))) { 

// Code to send the email 

^ ... TWis pavcr>*tKcs*is closes i\\t 

_ _i-f ； tells us i-f 

七 lie -fovm v/ds submitted. 


else { 

$output form = true; 


if ($output form) 


-fov-rn^s hcvcv- beeh 
submi-t-ted, wc dc-Pihi-tdy 
need h> show it/ 


?> 


<form method= n post" action= M <?php echo $_SERVER['PHP_SELF']; ?>"> 

<label f or=" sub j ect">Sub j ect of email : </labelxbr / > 

<input id="subj ect" name= M subj ect" type= M text" size="30 n / xbr / > 

<label for="elvismail">Body of email : </labelxbr / > 

<textarea id= n elvismail" name= M elvismail" rows = "8" cols= M 40"></textareaxbr / > 
<input type= M submit" name="submit" value="Submit" / > 

</form> 


<?php 

} 

?> 


you are here ► 
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make the form fields “sticky 



Cool. So we can now detect the form 
submission and show error messages 
correctly. But we still haven't made 
the form fields sticky, right? 


That's right. Detecting the form submission is important, but 
we still need to plug the sticky form data back into the form. 

Knowing if the form’s been submitted is an important part of making it sticky, but it 
isn’t the only part. The part we’re missing is taking any form data that was submitted 
and plugging it back into the form as the form is being output. You can set an input 
form field using the value attribute of the HTML <input 〉 tag. For example, this 
code presets the value of an input field using the value attribute: 


<input 


This value is haird^oded - its always 
■the same cvc\ry -time the -fovm is shovm. 



name="subject n type= n text n value= n Fall Clearance!"> 


But we don’t want to hardcode a specific value. We want to insert a piece of data 
from a PHP variable. How is that possible? Remember that we’ve used echo to 
dynamically generate HTML code from PHP in other situations. In this case, we can 
use echo to generate a value for the value attribute from a PHP variable, like this: 


PHP lc is ^ ^ 

variable, v/c V^avc bo use a tcMo 紐⑽甿 

<input name= n subject" type="text" value= n <?php echo $subject; ?>’▼> 

*to vc*tuvr> badk *to y' 

HTML, dost uf *tKc 

PttP toAt *thc ?> 


Fo\r a a\rca mpui -field, 
we edho -the siitky ddia 
’m between ihc <icx-tav-ca> 
</ic^-tav-ca> -tags 
ms-tc^d o-f us*mj "the vdlue 


Elmer’s form can then be modified similarly to take advantage of sticky data: 

<form method= n post" action= M <?php echo $_SERVER['PHP_SELF *]; 
<label for= M sub j ect M >Subj ect of email : </labelxbr / > 
<input id="subj ect" name="subj ect" type= M text" size="30" 
value= M <?php echo $subj ect; ?>" / xbr / > 

<label f or= M elvismail">Body of email : </labelxbr / > 


?>"> 


<textarea id= M elvismail" name= n elvismail" rows= M 8" cols = n 40"> 
<?php echo $text; ?></textareaxbr / > 

<input type="submit" name= M submit" value= M Submit" / > 


</form> 
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realistic and practical applications 



Tost DriVq 


Check to see how sticky Elmer's data really is. 

Change the code in sendemail. php to check $—POST for the form submission, 
as well as adding echo code to the form so that its fields are sticky. Upload the 
new version of the script to your web server and open the script in a web browser. 
Experiment with different form field values, including leaving one or both fields 
empty, and submit it a few times. 



Boy, that was dumb leaving the body of the 
email blank. Thankfully, ril never do that again now 
that the form is on top of things. And I don't have to 
keep re-entering the same data to fix it either. 


It. Elvi-, Sriid Em.iii 


Prfv 蠡 w: PflrBrrMrt use only 

WrttftancJ Mndan ama.itc railing list msm&sr*. 
fiorgot His email t>Kjy ia,-i 

SutHuaufwnail 


Ocaiijnir! 



T\\t Send Email shrift Y\o>N 
siioy/s d)r\ CVVOV message 

5Ucv- leaves a -fovm -field 
blank ， bu 七 rt vcmcmbcvs ar>Y 
da*td did ⑼七 伙 . 
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when good DELETES go bad 


Some users are still disgruntled 


Form validation has gone a long way toward dealing with Elmer’s frustrated 
customers, particularly those who were receiving blank emails. But not everyone 
is happy. It seems a few people are receiving duplicate emails... remember this guy 
from earlier in the chapter? 


q q, Spam? — Inbox 

FrDin: h£HHl Kir=*M； ln/> 

^ublivck Bpnm? 

Dnic: OiTlnbrw liS'MMi PM COT 

Td: Flir^f PriMhiy ■ciHnn:r®irvikmH；t txinu 


Flmnr 

k sate. 

Yaur LoyaiBut An 聞 
Fllinrt 


This dus"fcornc\r is 
-P\rus-t\ratcd because he 
keeps \rcdcivihg multiple 
topics op Elmers emails. 


Elmer knows he didn’t send a message more than once, leading him to suspect that 
maybe some users have accidentally subscribed to his email list more than once. Not 
a problem, just use the Remove Email page/script from the last chapter to remove 
the user, right? 

Unfortunately, it’s not that simple. Removing Elbert using his email address will 
completely delete him from the email list table, causing him to no longer 
receive any email messages from Elmer. We need a way to only delete Elbert’s extra 
rows from the table, making sure to leave one. 


eon 


Usmg Remove Email 

七 he pvcvious Aaf 七 ev" v/ould 
vemove dus*borwcv c^tivcly 

•(Vo 你 did*bdb3sc ； V/KldK I 

y\o*t V/C 


Me Elv-is - Removfi Ema^li 



Emer h k ?rail aJdreaa LOferr^vs. 
Pr*tiil mldmu 
L'UMMS^ieilwiprwhBls-.l? z 







How can Elmer delete all but one of the multiple rows 
in his table that have identical email addresses? 
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realistic and practical applications 






Hmm. The problem is that there are multiple rows 
in the table but no way to distinguish them from each 
other. Without a way to isolate them individually, any 
DELETE we try to do will delete all of them. 


Joe ： Maybe our Add Email form should check for duplicate email addresses before 
adding new users. That would fix it, right? 


Frank: Excellent idea. 

Jill: Yes, that would solve the problem moving forward, but it doesn’t help us deal with 
duplicate email addresses that are already in the database. 

Frank: Right. What if we tried to use a different column in the table to delete the 
extra rows, like last—name? 

Jill: I wondered about that, but using a last name is potentially even worse than an 
email address. What if we wanted to delete someone named John Smith from our 
mailing list, and we ran the following SQL code: 


DELETE FROM email list WHERE last name 


'Smith' 


Joe ： We wouldn’t just delete John Smith from our table; we’d be deleting Will Smith, Maggie Smith, Emmitt Smith... 

Frank: Wow, that wouldn’t be good. Last names are more likely to be common across rows than email addresses, and 
first names would be even worse than that. We could lose dozens and dozens of rows with one simple query. 


Jill: Exactly. We can’t risk using a WHERE clause that will delete rows we need to keep. We need to be certain we can 
pinpoint just the ones we want to remove. 

Joe ： So what the heck do we do? We can’t use email, last_name, or f irst—name in our WHERE clause. 
Frank: We’re out of columns in our table to use. Looks like we’re out of luck. 


Jill: Not necessarily. What we really need is something to make each row of the table unique — then we could pinpoint 
rows without any trouble. And just because we don’t currently have a column that has a unique value for each row 
doesn’t mean we can’t add one. 


Joe ： A new column? But we’ve already decided on our table structure. 

Frank: Yeah, but what we’ve got isn’t meeting our needs. You’re right that it would be better if we had realized this 
beforehand, so we could have designed our table accordingly, but it’s not too late to fix what we’ve got. 

Joe ： OK, but what would we call our new column? What data would we put into it? 

Jill: Well, since its purpose would be to uniquely identify each row in the table, we could call it identifier, or 
maybe just id for short. 


Frank: Nice, and we can fill the id column with a different ID number for each row, so when we execute our DELETE, 
we’ll be removing rows based on a unique number, instead of an email address or surname. 

Joe ： Exactly. It’s really a great idea, isn’t it? I’m so glad I thought of it. 


you are here ► 
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adding a primary key column to a table 


Table rows should be uniquely identifiable 


Part of the whole idea of sticking something in a database is that later on you’d like 
to look it up and do something with it. Knowing this, it’s incredibly important for 
each row in a table to be uniquely identifiable, meaning that you can specifically 
access one row (and only that row!). Elmer’s email—list table makes a dangerous 
assumption that email addresses are unique. That assumption works as long as no 
one accidentally subscribes to the mailing list twice, but when they do (and they will!), 
their email address gets stored in the table twice... no more uniqueness! 


What Elmer's table contains wow: 



first name 

last name 

email 

Denny 

Bubbleton 

denny@mightygumball.net 

Irma 

Werlitz 

iwer@aliensabductedme.com 

Elbert 

Kreslee 

elbert@kresleesprockets.biz 

Irma 

Kreslee ' 

elbert@kresleesprockets.biz 


More <>hc person i\\t 

same -Pivs-t so *t^'»s »s^*t a ^ood 

Aoi 乙 C -for a £.olumy\. 



ok> u^i^uc las-t ^ames. 


WothihJ ih the s-tv-udtuv-c 

this table guav-ahtccs 

A 灼 d while most 

灼 ’ *b dour\*b oy \ 
alv/ays bemj tase. 


When you don’t have a column of truly unique values in a table, you should 
create one. MySQL gives you a way to add a unique integer column, also called a 
primary key, for each row in your table. 


What Elmer's table should contain: 


IVe y\ttA a new 匕 oLnrm ihai ^o^-tai^s a value 
ihai is \AY\\o\yc (oy cvcv-y row m ihc -table- 


id 入 

first name 

last name 

email 

1 

\ Denny 

Bubbleton 

denny@mightygumball.net 

2 

| Irma 

Werlitz 

iwer@aliensabductedme.com 

3 

J Elbert 

Kreslee 

elbert@kresleesprockets.biz 

4 / 

Irma 

Kreslee 

elbert@kresleesprockets.biz 



|^oy/ 七 dolunrm tor\*ta'ms d 
value, ddr> be suvj tiiat cvevy voy/ m 
ouv- table is *tvuly unique. 


匕 、 Duplicate ih othev- 

乙 olurrms ho loh^CV" 3-P-Pc^ts 

"the Uhi^uChCss o-f v-ows 
bc^usc the hew id dolumh 
takes UYt Op that 
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realistic and practical applications 



Hey genius, you know if we want to make 
a change to the table structure, we have to 
do a DROP TABLE and then recreate it from 
scratch. Elmer's email data will be toast! 


It's true that drop table would destroy Elmer's data. But 
SQL has a another command that lets you make changes 
to an existing table without losing any data. 

It’s called ALTER TABLE, and we can use it to create a new column without 
having to drop the table and destroy its data. Here’s what the general format of 
an ALTER TABLE statement looks like for adding a new column to a table: 


•table *to be al*tcv-cd. 


The holme o( the hew 
匕 olumh "to be added- 


ALTER TABLE 


f— 厂 

table name ADD column name column type 

T\\t data type 

-tiic doluwm. 


We can use the ALTER TABLE command to add a new column to the 
email—list table, which we’ll name id. We’ll give the id column a data type of 
I NT ， since integers work great for establishing uniqueness. Some other information is 
also required, as this code reveals: 


The Y\3in\c o( the -table 
wc ijo al-tcv*. 



We bo AW a 

匕 £-311 id* 



This tells -the MyS^L scv-vcv io add 
I "to ihc value s-fcoved m -this doluwm 
•fov- cadh hew v-oy/ ihsev-ted- 



ALTER TABLE email list ADD id INT NOT NULL AUTO INCREMENT FIRST, 


ADD PRIMARY KEY (id) 



TVis Irbble cM\Atk 
dode 七 ells MyS^L 
i\\ai *biic 灼 
id fi.oluw\r\ is *bV^C 



/ 

The data type 

"the 匕 olurvm rvtdkcs 

it |/V 7 cgc\r. 


r 

FIRST -tells / 1 /IyS^L *to make v>C>M tolumy> 
•p’ivs 七 •… 七 XKis isbu 七 *rt s 

^ood -(*ov*nr\ *(jo ^u*t youv* id dolur»\r> 


This ALTER TABLE statement has a lot going on because primary keys have 
to be created with very specific features. For example, NOT NULL tells MySQL 
that there must be a value in the id column — you can never leave it blank. 


pv'imav-y key -Pov- 七 he 
•table- More, or\ 七1^七 
•m jus*t 3 se 乙 f 


AUTO_INCREMENT further describes the traits of the id column by causing it to 
automatically get set to a unique numeric value when a new row is inserted. As its 
name suggests, AUTO_INCREMENT automatically adds one to the last id value used 
in a row and places this value into the id column when you INSERT a new row into 


your table. Finally, PRIMARY KEY tells MySQL that each value in the id column is 
unique, but there’s more to it than just uniqueness... 
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all about primary keys 


Primary keys cwforcc uniqueness 


A primary key is a column in a table that distinguishes each row in that table as 
unique. Unlike normal columns, which could also be designed to be unique, only 
one common can be made the primary key. This provides a clear choice for what 
column to use in any queries that need to pinpoint specific rows. 

In order to ensure this uniqueness for primary keys, MySQL imposes a bunch of 
restrictions on the column that has been declared as PRIMARY KEY. You can think 
of these restrictions as rules to be followed as you work with primary keys: 

The five rules of primary keys: 



A primary key is 


a column in your 
table tkat makes 
eacli row unie jue. 



The data in a primary key can't be repeated. 

Two rows should never have the same data in their primary keys. No exceptions — a 
primary key should always have unique values within a given table. 



A primary key must have a value. 

If a primary key was left empty (NULL), then it might not be unique because other rows 
could potentially also be NULL. Always set your primary keys to unique values! 



The primary key must be set when a new row is inserted. 

If you could insert a row without a primary key, you would run the risk of ending up with 
a NULL primary key and duplicate rows in your table, which would defeat the purpose. 



A primary key must be as efficient as possible. 

A primary key should contain only the information it needs to be unique and nothing 
more. That’s why integers make good primary keys — they allow for uniqueness without 
requiring much storage. 



The value of a primary key can’t be changed. 

If you could change the value of your key, you’d risk accidentally setting it to a value you 
already used. Remember, it has to remain unique at all costs. 


The id ^olurwh \ y \ -table 

doesn't have v-cpcai daia, 
has a value -fo\r cvcv-y vow, is 
au-tomatidally set when a 

v-ow is msev-ted, is 



y id 

first name 

last 一 name 

email 

1 

Denny 

Bubbleton 

denny@mightygumball.net 

2 

Irma 

Werlitz 

iwer@aliensabductedme.com 


• • • 
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Tost DriVq 


Alter Elmer's table and try out inserting a new row of 
data with a primary key. 

Using a MySQL tool such as the MySQL terminal or the SQL tab of 
phpMyAdmin, enter the ALTER TABLE statement to add a primary key 
column named id: 

ALTER TABLE email—list ADD id INT NOT NULL AUTO_INCREMENT FIRST, 
ADD PRIMARY KEY (id) 

Now insert a new customer to the database to see if the id column is 
automatically set for the new row. Here’s an example of an INSERT 
statement to use (notice the primary key isn’t mentioned): 

INSERT INTO email_list (first—name, last_name, email) 

VALUES ( 1 Don ' , ’Draper 1 , 'draper®sterling-cooper.com') 


Finally, issue a SELECT statement to view the contents of the table and 
see the new primary key in all its glory! Just in case you’ve forgotten, 
here’s the SELECT statement: 


SELECT * FROM email—list 



mysql> SELECT * FROM email—list; 


The hCW id 乙 olurrm 
is du-to— 

SO that it \remaihS 
-Po\r the hew 

<row of data. 



last name 

1 

email 1 

Bubbleton 

Werlitz 

Kreslee 

Kreslee 

Draper 

i 

1 

1 

1 

1 

1 

- + . 

denny@mightygumball.net 1 
iwer@aliensabductedme.com 1 
elbert@kresleesprockets.biz I 
elbert@kresleesprockets.biz I 
draper@sterling-cooper.com 1 


5 rows in set (0.0005 sec) 
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cubicle conversation 


O 


o 


Okay, so now every row in the table has a 
unique primary key. How does that help? Elmer 
still deletes based on email addresses. 



Joe ： The problem is that the user needs to pinpoint rows of data using the 
primary key instead of the email address. 

Frank ： That’s right! So we just need to change the form so that the user enters the 
ID of a customer instead of their email address. No problemo! 

Jill ： Actually, big problemo. The user has no way of knowing the ID of a customer 
without somehow finding them in the database. In fact, the user doesn't know 
anything about the database structure. Maybe what we need is to rethink the form 
so that it lists out all the names and email addresses in a list with checkboxes next 
to each one. Here, I’ll sketch it for you. 


The value of -the 

will 

keep i^rack of 
the id value. 



Frank: Nice sketch, but how does that help Elmer isolate a customer for deletion 
using their ID? 

Joe ： Hmm. What if we stored the customer ID in the value of the checkbox. That 
way it isn't actually visible, but the script can get to it. 

Jill ： That's a great idea. So we could generate the form automatically in a loop by 
doing a SELECT to get all the data, and then creating each checkbox input field 
from a row of query data. 

Joe ： Cool. But what happens when the Submit button is pressed? What does 
$ POST have in it? 

Frank ： Hang on, Joe, we’ll get there in a minute. Let’s just start by building this 
part of the script, the part that displays all the data from the table and writes out 
those checkboxes... 
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realistic and practical applications 



PHP& MySQL Magnets 

Use the magnets below to finish the missing code for the Remove Email script, which presents a series 
of checkboxes for the customers in Elmer's database. Note that this code just creates the form; don't 
worry about the code that performs the DELETE just yet. 


- - ,,, n o c n " = q 七 vl e =n f lost: r ight /> 

<img src=-blankface.jpg" width="161" heig J ° , height= ” 3 2” border。” ◦” alt=-Make Me Elvis' 

— . </p> 


/> 


〈form method= n post M action- 


echo $—SERVER r PHP— SELF 1 ]; 


'> 


<?php , H Q rom . 'elmer', 'theking', 'elvis_store') 

$ dbc = m Y sqli_connect('data.makemeelvxs.com , 

or die('Error connecting to MySQL server.), 

// Display the customer rows with checkboxes for deleting 
$query = "SELECT * FROM email—list n ; 

$result = mysqli—query($dbc, $query ), 


while ( 


mysqli— fetch—array($result)) 


echo 1 〈input type= M checkbox" value= 


name: 


1 todelete[] M /> 


echo 


echo 


echo 


echo '<br />'； 


mysqli 一 close($dbc) 


?> 


〈input typ© =n submit" name— 


</form> 


value= M Remove n /> 
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php & mysql magnets solution 



PHP & M^SQL Magnets Solution 

Use the magnets below to finish the missing code for the Remove Email script, which presents a series 
of checkboxes for the customers in Elmer's database. Note that this code just creates the form; don't 
worry about the code that performs the DELETE just yet. 


- - , , ,_ n q cpv n a i -i-= mm qtvle =,, flo3t:right /> 

<img src="blankface.jpg" width="161" heig J ° , height= ” 3 2” border=”Q” alt="Make Me Elvis 

-a. llSt an，™.< /P > 


'> 


echo $ SERVER[' 

一 J 


<form method= n post” action= n . <?php [ 

This -fovm is scl-f— 

<? $dbc = mysqli_connect('data.makemeelvis.com-, 
or die('Error connecting to MySQL server.), 

// Display the customer rows with checkboxes for deleting 
$query = "SELECT * FROM email—list n ; 

$result = mysqli—query($dbc, $query ), 

. myS qli— fetch—array($result)) { 


PHP SELF ']； 




'> 


theking', 'elvis—store 1 ) 


l^lihC PHP todt still has 
■to be flawed ihside <?php 
3 hd ?> -tags. 


while ( .CQ3 ， 

echo ,〈input type= M checkbox" value 二 , 

.m 


$ 


row 




rrr 


row 


last name 


echo '<br /> 


Id 

M 

email 

1 1 ' 

rn 



TK'is is v/Kcvc fvimavy key 
yU used m 七 he dKcdkbo% — 
y/e dar> use *tiVis la*tcv- *to delete 
dv>y dKcdkcd dus*tomCV-s. 


id 


name= M todelete[] M /> 


Each 

•field is ^ohs-tv-ud-ted -fvom 
a \row o-f tus-tomcv- data. 


mysqli 一 close($dbc) 


?> 


〈input typ© =n submit" name- 
</form> 


TV^ sC-vipt docsn t actually 
do aw/ dclctmj yet 
Y\o^n I*b just fv-cscir^-bs a lis-b 
<Jc ^cdkbo%cs. 


value= n Remove" /> 


匕如 K>arwc you\r Submit birttoh 
you v/a^i - jus-t be su\re "to ihc 

Mme la-tc\r i-f you decide io 乩比 k f__P0ST 

"to see i-f the -ro\rrw v^s submi-tted. 



removeemail.php 
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realistic and practical applications 


From checkboxes to customer IPs 


The checkbox code generated by the Remove Email script is simple HTML with 
our primary key (id) stuffed into the value attribute of the <input> tag. There’s 
one small, but very important change from ordinary checkbox HTML code, though. 
You might have noticed square brackets ([ ]) at the end of the checkbox name — they 
serve a vital purpose. 


echo '<input type="checkbox" value="' . $row['id'].' 

The square brackets result in the creation of an array within $_POST that stores the 
contents of the value attribute of every checked checkbox in the form. Since each 
checkbox’s value attribute contains a primary key, each value in the todelete 
array is the ID of the row in our table that needs to be deleted. This 
makes it possible for us to loop through the todelete array and issue an SQL 
query to delete each customer that is checked in the form. 


name="todelete []’▼>▼; 

/ 

Tiic bvadkc*U at 

i\\t tv\A o( di^ctkbo% 

auto 你 at! 匕 ally pu*t 
tiicdkbo% values m a 灼 av-v-ay 
earned w *fcoddc*tcn . 


^ m 


〜 Ha it%-,% . 


— 心心如 ID 

tusWcv- sWa ； ay/ay, is 吻咖義 —■ 咖刪 -加咖咖 

addessible 怅。一如 lobal. 

L，bH，1 t，&n ^- s HHMipr0d W rtj t，, 



I get it. We just use a while loop to cycle 
through the todelete array and delete 
each of the customers using their IDs. 



We could use a while loop but there’s a more elegant 
solution using a different kind of loop. 

The foreach loop is a special kind of loop designed specifically for cycling 
through values stored in an array. All you need to do is specify the array 
you’d like to loop through and a variable to store the values in, and PHP will 
take care of iterating over them one by one... no test condition required! 


Write down how you think a foreach loop might loop through 
an array of Elmer ? s customer IDs: 
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anatomy of a foreach loop 


Loop through m array with foreach 


The foreach loop takes an array and loops through each element in the array 
without the need for a test condition or loop counter. As it steps through each 
element in the array, it temporarily stores the value of that element in a variable. 
Assuming an array is stored in a variable named $ customers, this code steps 
through each one: 


As the loop joes ihiroujli eadh mdividual 
^ clement m the airray, will icrwpov-avily 
J s'to'rc ihcrw \y\ a variable v/i-th this 

foreach ($customers as $customer) { 


TKc av-v-ay you *to 
loop -t^v-ou^K appears -f iv-st 


echo $customer 


l^de <Jc loop, you dav> atdess cadK element 
usm^ *tiic vav-iable you jus 七 pvovided- 


So if we want to loop through the customer IDs stored in the $_POST array in the 
Remove Email script, we can use the following foreach code: 

the a\r\ray is s-fcov-cd inside 
of the / 一 POST supev-^lobal ； 
and ide^ti-fied by 

foreach ($_POST['todelete'] as $delete_id) { 



dcr^Cht o-p the av-v-ay 
Will be aUcssMc thv-ough 4c 

^a\)\c fdclctc id. 


// Delete a row from the table 

欠 ^ We ddr> use /delete id *to delete cadii 
tus-tomcvs -fv-om database. 


The $ delete—id variable holds the value of each array element as the loop 
progresses through them one at a time. 


Wc use this vaH^ble 

■to 3^ess -the ID o-P 

^ush>rtne\r ahd thch delete 
them -pv- om the table- 


[Wjif Mtf f - R*m 



^ n r? — 

PIrru fHtaamn Amal 成 iwiAt b 咖隱 flma,1 

bfc nrpd Qitk Hnnwwfi 

句 OflnrnrCUJbb^bin 勿抓级爪训的 untallflflL 
iiVurlfj wnr^inrwabductpfl^jnim 

@1 Iftth Rvste* 

bA Don Dr«>sf j&o«” 


$delete_ 




〆 





$_POST[ , todelete , ] 


With the foreach loop now stepping through each of the checked checkboxes 
in the Remove Email form, we just need to add code inside of the loop to issue a 
DELETE query and actually delete each row from the email 一 list table. 


Wc 乙 or^sbru 己 "ted *t^is 

avv-ay so i*t o^ly 
Isolds c.us*tomcv"s *tiia 七 
y^ect cMtcVtd m {\\t 
Remove tmail -fov 


>vw\. 
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realistic and practical applications 




Finish the code for Elmer’s new and improved removeemail .php script so that it deletes 
customers that have been checked in the form when the form is submitted. 


$dbc = mysqli_connect('data.makemeelvis.com ', 'elmer ', 'theking ', 'elvis_store') 

or die('Error connecting to MySQL server .')； 

// Delete the customer rows (only if the form has been submitted) 

if (. ) { 

foreach ($ POST['todelete'] as $delete id) { 


echo 'Customer(s) removed.<br / >'; 


// Display the customer rows with checkboxes for deleting 
$query = M SELECT * FROM email 一 list ”； 

$result = mysqli—query($dbc, $query); 
while ($row = mysqli 一 fetch array($result)) { 

echo '<input type= M checkbox" value= M ' . $row['id'] . ' M name= M todelete[] M / >'; 

echo $row[ 1 first—name']; 

echo ' ' . $row['last—name']; 

echo ' ' . $row['email']; 

echo '<br / >'; 


mysqli_close($dbc); 

?> 


〈input type= M submit" name= M submit M value= M Remove" / > 
</form> 



removeemail.php 
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the revised removeemail.php script 



Finish the code for Elmer’s new and improved removeemail.php script so that it deletes 
customers that have been checked in the form when the form is submitted. 


O^ly ddcic 

匕 uS"tomcv*s 

i-f ihc 

hols bcch ^ 

submitted# 


$dbc = mysqli_connect('data.makemeelvis.com ', 'elmer ', 'theking ', 'elvis_store') 

or die('Error connecting to MySQL server .')； 

// Delete the customer rows (only if the form has been submitted) 


TYisscWf posnw) 


foreach ($ POST['todelete'] as $delete id) 


Use fdelete id *to 
Aoose e 乂 ad 七 

f|\uc\ry =• W pELETE FRO/yi (CmaiMist lAfttERE id 〒 .fWki?」0 
mys^li__^uc\ry(f^uev-y) 
o\r dicO&r\ro\r ^ucvymg database ^; 


echo 'Customer(s) removed.<br / >'; 


// Display the customer rows with checkboxes for deleting 
$query = "SELECT * FROM email_list M ; 

$result = mysqli—query($dbc, $query); 
while ($row = mysqli—fetch array($result)) { 

echo '<input type= M checkbox" value= M ' . $row['id'] . "’ name= M todelete[] M / >'; 

echo $row['first—name']; 
echo ' ' . $row['last—name']; 

echo ' ' . $row['email']; 

echo '<br / >'; 

The todt 七 he 

} dus-torwcv dhcdkbo^cs is 七 he 

sarnc as you dv-catcd i*t bc-Pov-c- 



mysqli_close($dbc); 

?> 


〈input type= M submit M name= M submit" value= M Remove" / > 
</form> 



removeemail.php 
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realistic and practical applications 


— Tesr DriVq - 

Take Elmer's newly revamped Remove Email script for a spin. 

Modify the code in the removeemail. php script so that it generates customer 
checkboxes instead of using the old email text field. Then add the code to delete 
customers whenever the form’s submitted. Also change the action attribute of 
the <f orm> tag so that the form’s self-referencing. 

Now that removeemail. php uses a self-referencing form, you no longer need 
the removeemail. html page on your web server, so feel free to delete it. Then 
upload the new version of removeemail. php to your web server and open the 
script in a web browser. Check off a few customers and click Submit. The form 
immediately changes to reflect the customer removal. 


A O n 


M.iliv Mf E\vv. itfiimvi- Em.iil 


Rn w &\B e-maii n dele» fren 

list and apct; Kernovs. 

□ Dftnny 問 Mil nnr 

q imta Wyditz 舶 sabductedirw/oom 

: Elhnn KynnJf.R Nhrtn®krrtr;l 加 npmftkfim hi? 

I mu Kratl 时 6nz 

]Dran rtr^jwinSsi^rti ig Mapfvr «hti 


K 


Hfmcirvf 


W\\tv\ you dhe 匕 k o-P-P a dus-fcomcv- 

扣 d didk Subr^i-t, -tliC dus-torwcv- ； s 

v-erwoved -Pv-orw -the ddidbase- 



1^1 

Mate 赃咏，⑽ 

C^usfarnertsj PBfTwwd^ 

咖 ail. na t 

: ^ 籼舭 '^rffliiliunKjbdu^cIrnLM^rn 
t Llbflrt 物咖 * eibengBkfeaieegpKjti：^ blI 

JDonDrumr 

『 ftrmavp % 

一一 
dus*fcomCV" vcw^oval 3 r\d 3 lso 

updates -tKc £.Kcdklis*t — 

dieted tuS-fcorwCV- IS Y\O^I <^OY\t. 
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S 




4. 






Totally digging my new 
Remove Email form. Time 
for a vacation. Viva Las 
Vegas, baby! 



Elmer’s got a fully functioning application. He can add customers, 
send out spectacular sale emails to just the customers who want to 
receive them, and delete customers who have traveled to the dark 
side, or just want to be removed from his list. Life is good. 


■tot ONLY 




麗 m 

I pi win 




Djo^m^n 

ft- mmmiMrn CM pm'ni ifi 


Hrd hk* JJ-* 1 "_ 

Lvil IVfW n«4 

Sma pjte 4 MP4HE* 

^ Uivf * 
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realistic and practical applications 



Your PHP MySQL Toolbox 

You bagged quite a few new PHP and 
MySQL skills while taking Elmer's web 
application to a whole new level... 


alter table 


T\\t o^cva-bov, ov NOT 

O^CV*3*boV", VCVCV"SCS d *tv*uc/-fdlsc 

value- So *bvuc becomes -false 
-false becomes *brue. 


? is 缘 

七 he stvudtuvc <^p a iabl wh 
f addihj a hew dolu^h daia 

T ^ ls allows -to alt 饮 a iablc 

stirudtuvally without hdvihQ -to 
^°? '*t ahd s*ta\r*t over. 


if, else 

The PttP i-f s*t3 七⑽伙七 makes 
dedisio^s based or\ y/hc-blicv- ov ⑽七 
Somrbhrn^ is *tv*uc. ^ivc i*b 3 *tv*uc/ 
-false -best do^ditioi^ some 

a£.*bioir\ toAt) and a 朽』 

y/ill lc*b you mdkc dll ki^ds of Coo\ 
dc£-isio^s. else ^Uusc £-3^ be 
added bo i-f s*ta*bc^c^*b *to 
i 七扣 a\itrr\ait athoy\- 


<r > 



foreach 

A PttP loo^m^ 乙 。灼 stvu 乙七 *bha 七 lc*b 
you loop *b^v*ou^li dv' 3v*v*5Y oir\C 

clcmc^i a*b a 七一 vU us” a 

-test ^or\d*itioir\. Inside {ht loop, you 
c^y\ scct^s clcmc^*b oi 
avvay. 


CompaHsoh opc\ra*to\rs that tav\ be 
used io dohsiwt icsi dohditiohs 
七 hat dompa\rc values {p eadh o*thd 
These a\TC o^ich used -to doh*b*o| 

_*P s*t^*tcmch*ts 3hd loops. 


isset(), empty() 

The built-ih PWP isseto -fuhdtioh 

icsis -to see i-p a vaHdblc exists, 
whidh mcahs that it has beeh 
^ssijhcd a value- The cmj>£yO 
*fuhd"tioh "t^kes *thihjs ohC s*tcp 
*fu\r*thcir 3hd dc*tcv*mihcs whether 
a v a\riable doh-taihs ah cmpiy value 
to, empiy st\riha, ^alsc, o^ 

NULL). 


&&, OR 

These a 代 lo^idal o^a-to^rs *tV>a*t 
a\rc used *to build cx^cssiems 
mvolvm^ *tvuc/-fsUc values. 
Combmm^ *bwo values y /也 && 
( 靡 ) rcsul-b *m W O^ly bo-tK 
values are *tv*uc. Combmm^ values 

y/i*bV> || (OR) V-CSul*b -true i-f 

ci-t^cv- of -tV^c values is -true. 


CHAPTER 4 
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5 Working With delta stored !n ¥!les 



When a database just 


Don't believe the hype...about databases, that is. Sure, they work 

wonders for storing all kinds of data involving text, but what about binary data? You 
know, stuff like JPEG images and PDF documents. Does it really make sense to store 
all those pictures of your rare guitar pick collection in a database table? Usually not. That 
kind of data is typically stored in files, and we'll leave it in files. But it's entirely possible 
to have your virtual cake and eat it too — this chapter reveals that you can use files and 
databases together to build PHP applications that are awash in binary data. 


this is a new chapter 













guitar wars needs screenshots 


Virtual guitarists like to compete 


Apparently creating art for art’s sake isn’t always enough because players 
of the hot new game Guitar Wars are quite enamored with competitive 
virtual guitar playing. So much so that they regularly post their high scores 
at the Guitar Wars web site，which you are now in charge of maintaining. 
Problem is, there isn’t currently a good way to verify the scores. 


War4 - Hlgft Scfircs 

Guitar Wars- High Scores 

^ t atBkcslB<PK tdKhish 

WdMfW.CuiUJ 机缸卿 ㈣ whBt 

I 127650 

[>atc: 1437:2 

98430 

Namr-.XcvUJifiians.'HHi 

Dal *； 21 ■耵別 

345500 

liddie VMilLU 

282470 

36 船 0 

Asbao Slmpsop, 

Uacc ： 仿： 


TV guitar Wa^rs application 
allows usc\rs -to add -thciv- ovm 
stores -to the high sdov-c lis-fc. 


ho way -to vcv-i-fy ; wc 
匕如七 khow whose sdov-c is 

valid 3hd whose ish’t. 


Text can't be trusted 



Bdita, skcptidal 
与 uita\r IVav-s v-odkc^. 


i{ 0 €U 


Right now players just post up their high scores purely as text, and there 
have been lots of disputes over whose scores are valid and whose aren’t. 
There’s only one way to put an end to all this bickering and crown a 
^itimate Guitar Wars champion... 




5 

fer 

ap 
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picture 

The proof is m thernkm^ 


Visual verification of a high score is what we need to determine who’s 
for real and who isn’t. So the Guitar Wars application needs to allow 
users to submit a screen shot of their high score when posting their 
score. This means the high score list will not only be a list of scores, 
names, and dates, but also a list of images (screen shots). 

祕 — 

w “d out 

•, s a 6 i^ \A/avs Vaud! 



Ver ified 


f 


Bdd\c, \rotkc\r 
W^v-s store -fakcv-. 


~~wrrirvm£L^ " H,ah 

345900 


Xiimi，：! EuIJk Vauilli 


r 


So you 


saying 


m 


re 


actually going to h 
to learn to play th 


have 


is 


thing? 


Bummer 


282470 


■Namf: ISL-lria Cht' 


R 她； 30QfHM-2JW ； j2 ： 5.- 1 


366420 


Bcl'ila S score is 


Icy-t, *tV^a^ks -to V^cv 
submitted scrttv\ sKot 
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the guitar wars application design 


The application needs to store images 

Currently, the Guitar Wars high score application keeps track of three 
pieces of information: the date and time of a new score, the name of 
the person submitting the score, and the score itself. This information is 
entered through a form as part of the application’s user interface, after 
which it gets stored in a MySQL database table called guitarwars. 
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This |D is the p\rirwol\ry 
key <Po\r the database 
3hd is au'toma'ki^lly 
9Chc\roi-tcd (or ea^h v-ow 


This is the date 、 
(Ad time) that 3 score 

v/3s submitted -to -the 

与 uitair Wars application. 



date 

2008 - 04-22 14 : 37:34 
2008 - 04-22 21 : 27:54 
2008 - 04-23 09 : 06:35 

r. i OO r»O .10 


guitarwars 

name 

Paco Jastorius 
Nevil Johansson 
Eddie Vanilli 
Belita Chevy 




Cir>*tcv-*nr>^ 3 MmC 3 r>d 
sdove dr>d dl'itk'mj Add ， 七 he 
store is doy>-rivmcd 3r>d 
added *to *tKc ^ui-tav-y/av-s 
•tabic m 七 1 化 da*tabasc- 



Tlic gui-tav-wav-s -table 
also s-to\rcs the hdme 

3hd stoYt (ov c 此 h 

hi# sto^rt Chivy ih 

the database. 


， rvo 


TVic y^cv/ly added score 
\mmcdia-tclY appears -t^c 
md'm guitar Wa^rs \>ay. 




* ,ul， ^ arJ ^Vars - HJ^h^cctr^ 

刊饥* 作谢 油*:丨 Qfca » ca 啦抓] 


12 T 650 

N-'awi PiKoJterbi, 

D»k: J4JJ.J+ 

98430 

Sum- y^nJ 

Uate: JD-jh 

345900 

>■«: Vac h 

; 282470 

j SWtCHl 

DlHi20a«jJ0ftLi^ 

i & 4930 
Smui Xwj? l^JE 
D ， k: ■MCfrWJ; 
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annotate the code 


-A 

E%eitciSe 


The Guitar Wars high score application will have to change to accommodate uploadable image 
files for high score screen shots. Circle and annotate the parts of the application that must 
change to support user-submitted images. 


- - '~ nra/1999/xhtml" xml :lang="en" lang="en"> 

<html xmlns="http://www.w3.org/iy / 

</head> 

<h2>Guitar Wars - High Scores</h2> what it takes to crack the 

<P> WelCOm ^ <a Y href-'addscore.php">add your own 

high score list? It so, 
score</a>.</p> 

<hr / > 

<?php 

// Connect to the database 。 < -admin', 'rockit 1 , 'gwdb') 

$ dbc = mysqli_connect('www.guxtarwars.net , admm ， 

// Retrieve the score data from MySQL 
$query = ” SELECT * FROM guitarwars "； 

$data = mysqli— query($dbc ， $query), 

//Loop through the array of score data, formatting 

: fiL' (r^^mysql^fetc^array ( $ data))( 

// Display the score data ‘ ”， 

echo '<tr><td class="scoreinfo ''>'； 
echo '<span class=" scored' . $row[ score ] ^ . 

echo '<strong>Name:</strong> ' • $row name 

echo - <strong>Date:</strong> - • $-w[-date ] 

echo ’</table〉 1 ; 
mysqli 一 close($dbc); 



f style, css 

This -pile 

h> so 

you dov\{, have -fco 
wo\r\ry about it- 


1 </span><br /> 
.'<br />'； 

.'</td></tr>' 


?> 

</body> 

</html> 


Download it! 



guitarwars 


The complete source code for the Guitar Wars 
application is available for download from the 
Head First Labs web site: 

.headfirstlabs . com/books/hfphp 


2 

7 

7 

7 

7 


date 

2008 - 04-22 14 : 37:34 
2008 - 04-22 21 : 27:54 
2008 - 04-23 09 : 06:35 
2008 - 04-23 09 : 12:53 
2008 - 04-23 09 : 13:34 
2008 - 04-23 14 : 09:50 


name 

Paco Jastorius 
Nevil Johansson 
Eddie Vanilli 
Belita Chevy 
Ashton Simpson 
Kenny Lavitz 
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<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> 

<head> y 

<title>Guitar Wars - Add Your High Score</title> 

〈link rel="stylesheet" type=”text/css” href=”style.css” /> 

</head> 

<body> 

<h2>Guitar Wars - Add Your High Score</h2> 

<?php 

if (isset($_POST['submit'])) { 

// Grab the score data from the POST 
$name = $—POST['name']; 

$score = 百 —POST['score I]; 

if (丨 empty ($na.me) && ! empty ($score) ) { 

// Connect to the database 

$dbc = mysqli_connect('www.guitarwars.net', 'admin' A 'rockit 1 , ,gwdb') 

// Write the data to the database 

$qUG f Y = " INSERT INT0 guitarwars VALUES (0, NOW(), '$name', '$score')" 

mysqli—query($dbc, $query); 

// Confirm success with the user 

echo '<p>Thanks for adding your new high score!</p > 1 ； 

echo '<p><strong>Name:</strong> ' . $name ，<br />▼; 

echo '<strong>Score: 〈 /strong 〉 ' . $score . ， </p>' ; 

echo ! <P><a href="index.php">&lt;&lt; Back to high scores</a></p>▼; 

// Clear the score data to clear the form 
$name = ””； 

$ score = ; 

mysqli—close($dbc); 
else { 

eC ^° ，<P clas s="error">Please enter all of the information to add ' 
your high score.</p >'； 


?> 

<hr /> 

〈form method=”post” action= M <?php echo $—SERVER['PHP SELF']; ?> ”〉 

<lab，l for="name">Name : </label><input type="text" id="name"*name="name" 
value="<?php if ( ! empty ($name) ) echo $name; ?>" /xbr /> 

<labd for="score">Score : </labelxinput type="text" id=” Score ” name="score' 
value- <?php if (! empty ($score) ) echo $score; ?> fl /> 

<hr /> * 

〈input type="submit" value= M Add M name="submit" /> 

</form> 

</body> 

</html> 


<? 7 l 




addscore.php 
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annotated guitar wars code 



The Guitar Wars high score application will have to change to accommodate uploadable image 
files for high score screen shots. Circle and annotate the parts of the application that must 
change to support user-submitted images. 


,, nra/1999/xhtml" xml:lang="en" lang="en"> 

<html xmlns="http :// www.w3.org/iy / 

</head> 

<body> wuq 、 

< h2>Guitar ^ rS t ； r H warr S ior re do you have what it takes to crack the 

score</a>.</p 〉 

<hr /> 


丁 he sdv-cch shot 
•file must be ob-bihed 

-Pirom -fovm POST daia. 


V^u should valida-tc h> 
wke suve the 
-filcha^c empty. 


1 admin 1 , 1 rockit 


<?php 

// Connect to the database 

$dbc = mysqli— connect('www.guitarwars.net 

II Retrieve the score data from MySQL 
$query = "SELECT * FROM guitarwars"; 

$data = mysqli— query($dbc, $query); 

// Loop through the array of score data, formatting it as 

: file' (rro^'mysql^fet^array ( $ data))( 

I 1 V i. l li'~ -rT 七卜 


<html xmlns="http : //www\w3.org/1999/xhtml" xml:lanq="en' 
<head> ' 

<title>Guitar Wars - Your High Score</title> 

〈link rel= ,f stylesheet f, ^pe= f, text/css 1 ' href= fl stvle cs 
</head> x • 

<body> 

<h2>Guitar Wars - Add Your Hi^V Score</h2> 

<?php 

if (isset($_POST[ 1 submit 1 ])) { 


"echo '<tr><td class="scoreinfo ">'； f 


'</span><T 

• '<br / >' 

• '</td></} 


echo 'T/Ldbiy -' 1 ， - 

⑽、 T\\t sKot 

mysqli close($dbc ) r . 

> r,ccds -to be displayca 


^j-Ldb Lhe score data trom the PO 
$name = $_POST[ 1 name ? ]; 

$score = $_POST[ 1 score f ]; 

土 • empty 

$dbc = mysqli_connect( 1 www.guitarwars.net r , ， admin' 



lang= fl en fl > 


/> 


TV S《L ' 叫 f — 迕 

y>o>/ msc\rt Way 
^'iley>dme *m*to *b^c 
—*tav 肅 s *taW c . 


’ rockit ’ 


’ gwdb 1 ) 




</body> 

</html> 


ov\ 七 he pay. 


// Wri ^ t ■一 r mo -f-^ qq_ 

(Q ， 簡 0, ,$name, , '^core') 


/ / r^n-F-i v-m 








id 


index.php 

The image should be displayed 
"to "the usc\r "to doh-fi\rrw su^^css. 

guitarwars 


1 <p>Thanks for adding your new high score!</p> 
1 <p><strong>Name:</strong> 1 . $name *<br /> 
<strong>Score:</strong> f • $score • 1 </p > 1 ； 

' < P ><a href= n index.php n >&lt;&lt; Back to high 


(score data to clear the form 



res</a></p > 1 ； 



date 

2008 - 04-22 14 : 37:34 
2008 - 04-22 21 : 27:54 
2008 - 04-23 09 : 06:35 
2008 - 04-23 09 : 12:53 
2008 - 04-23 09 : 13:34 
2008 - 04-23 14 : 09:50 


mysqli—close($dbc); 

} 

else { 


suUcss, make suve ihc s-( 
-fovm -field gc-b cleaved. 



name 

Paco Jastorius 
Nevil Johansson 
Eddie Vanilli 
Belita Chevy 
Ashton Simpson 
Kenny Lavitz 


ec^io ’<p class="error">Please enter all of the information to add 
your high score.</p > 1 ； 

T 


?> 


This e^uev-y -takes d b'rt o( d sho\rUu*t 
by y>o*t spedi-fym^ dolumy> 


/> 


"post" action="<?php echo $—SERVER['PHP SELF ']； ?>' 


TV^c table 从 cds a 少 

*to S*toVC 一 

从 c Sd ⑽ sU: way ’ he 俨？ r^eeds 3r> 

for tacM stove. <'^put> -tag \o>r the 

'^9^ +ilc sclcdtioh. 



klabd for="name">Name:</label><input type="text» Id=»name" name="name' 
value- ,f <?php if (! empty ($name) ) echo $name; ?> n /><br /> 

<lab” for="score">Score : </labelxinput type="text" id="score" name="score' 
<?php if (! empty ($score) ) echo $score; ?>" /> 

〈input type="submit" value="Add" name="submit" /> " 

</form> 

</body> 

</html> 



addscore.php 


230 Chapter 5 









































working with data stored in files 


Plawwiwg for image file uploads m ftuitar Wars 

Although it may not seem like a big deal to add support for uploadable screen shot 
images to Guitar Wars, the application must change in a variety of ways. For this 
reason, it’s a good idea to have a plan of attack before diving into any code. Let’s nail 
down the steps required to revamp the Guitar Wars high scores for screen shots. 


6 



Use ALTER to add a screenshot column 
to the table. 

First off is the database, which needs a new column 
for storing the name of each screen shot image file. 
Since we plan on putting all image files in the same 
folder, all we need to store in the database is the 
filename itself (no path). 



Write a query to insert the screen 
shot image filename into the 
screenshot column of the table. 

The Add Score script that processes the form for 
adding scores must also take into consideration the 
new file input form field, and handle inserting a 
screen shot image filename into the screenshot 
column when inserting a new high score row into the 
guitarwars table. 


screenshot 


phizsscore.gif 


We uploads. P d * a,,ow *mage 

mterfaCe for Meeting a fiLo a user 

ScrCCIl stlOtl Choose Fjlc^ pliiz s-scorc^gif 


Change the main Guitar Wars 
page to show screen shot 
imsges for the high scores- 

Last on the laundry list of changes 
involves the main index . php Guitar 
Wars page, which must be changed to 
actually show the screen shot image for 
each high score that is displayed. 
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ALTER your table 


The high score database must be ALTERed 


In addition to a variety of PHP scripting tweaks, the image-powered 
Guitar Wars application needs a new column in the guitarwars table 
to store screen shot image filenames. Enter SQL, which offers a statement 
called ALTER that is capable of modifying tables in all kinds of interesting 
ways, including adding new columns of data. You used the ALTER 
statement in the previous chapter to tweak Elmer’s email—list table, 
but let’s recap how the command works. 


ALTER TABLE guitarwars DROP COLUMN score 

The DROP COLUm ^ 

s-tatcmch-t d\rops ah 
匕 olimrn -fv-om s table. 

OK, maybe that’s a dangerous example since it reveals how to drop an 
entire column from a table, data and all. Yet there certainly may be a 
situation where you need to remove a column of data from a table. It’s 
more likely that you need to add a column of data, as is the case with 
Guitar Wars. This is made possible by ADD COLUMN , which is one of 
several table alterations you can carry out with ALTER. 


Tke ALTER 

statement is used to 


ckange tke structure 


oi a database. 





■follov/cd by ^ *to 

youVc ^o'm^ *to al*tcv a *table. 

Its also possible *to al*tcv- 
S*bru£.*tuV"C 0-(* "tiiC 

fyLTB-R PATABA^E ； bu*t 

-tKaVs s-fcovy. 


ADD COLUMN 

Adds a new column to a table — just 
specify the name of the column and its 
type following ADD COLUMN. 

ALTER TABLE guitarwars 
ADD COLUMN age TINYINT 


CHANGE COLUMN 

Changes the name and data type of a 
column —— just specify the name of the old 
column, new column, and new data type 
following CHANGE COLUMN. 

ALTER TABLE guitarwars 

CHANGE COLUMN score high_score 工 NT 


drop column 


ALTER TABLE guitarwars 
DROP COLUMN age 


MODIFY COLUMN 

Changes the data type or position of a column 
within a table 一 just specify the name of the 
column and its new data type following MODIFY 
COLUMN. To change the position of a column, 
specify the name of the column and its exact 
position (FIRST is the only option here) or a 
relative position (AFTER another existing column, 
specified by name). ’ 

ALTER TABLE guitarwars 

MODIFY COLUMN date DATETIME AFTER age 
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Write an SQL statement that adds a new column named screenshot 
to the guitarwars table. Make sure to give the new column a 
suitable MySQL data type. Then write another SQL query to check the 
structure of the table and make sure the column was successfully added. 


guitarwars 


id 


_ d«te _1 

name_ 

1 score 1 

2008-04-22 14:37:34 1 

Paco Jastorius 

127650 | 

2008-04-22 21:27:54 1 

Nevil Johansson 

98430 j 

2008-04-23 09:06:35 | 

Eddie Vanilli 

345900| 

2008-04-23 09:12:53) 

Belita Chevy 

282470j 

2008-04-23 09:13:34 j 

Ashton Simpson 

368420| 

1 2008-04-23 14:09:50 1 

Kenny Lavitz 

j 64930 


screenshot 


l/V\ritc the siaicmev)i 
七 ha 七 ddds 3 ^.olumrth 



1AM 七 e otKcv- 
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sharpen your pencil solution 

- %^arp«i your pendl 

Solution 


Write an SQL statement that adds a new column named screenshot 
to the guitarwars table. Make sure to give the new column a 
suitable MySQL data type. Then write another SQL query to check the 
structure of the table and make sure the column was successfully added. 


guitarwars 


id 


date_1 

name_1 

score 

2008-04-22 14:37:34 1 

Paco Jastorius 

127650 

2008-04-22 21:27:54 1 

Nevil Johansson 1 

98430 

2008-04-23 09:06:351 

1 Eddie Vanilli 

1 345900 

2008-04-23 09:12:53 

Belita Chevy 

282470 

2008-04-23 09:13:34 

I Ashton Simpson 

368420 

2008-04-23 14:09:50 

I Kenny Lavitz 

1 64930^ 


The ALTBR siaie^i adds • 

hew s^censhoi 匕 oUh ■(» 七 he 

( gui-tairy/avs table. 

screenshot 


Sihde the ^olunrth is hCw, it 

s-blrb out empty (NULL) 

4\r cxistihg \roy/s ih the table. 



. The o( tabic *to be 

The ALTER staWht alWd Allows ALTER TABl 

. 麵 . 舰*， 


ADD COLU/yiN sd\rcc^sho *(： va\rdiia\r(^) 

APP COLUMN mdidates -that 
we wa^*t *to al*tcv the "table by 
addi^ a mevj dolum^ o( 


The av\d daia type o( -the new Co\^v\ av-e 
spedi-fied las-t \v\ -the S^L vevy - 厶午 dhavad-tcv-5 

dve -to ^CCon\n\oAd{,t rwos-t imd^e -f ile^dr^es^ 

you mdkc "the dolurvm cvch lo^jcv* i-f 
you wa^i -to be c^iv-a sa-Pc- 


DESCRIBE. 5 ui*ta> ： y/ay；s 


TV’s s-ta-tcr^ch-t displays 
the s-t\rud-tu\rc of the table ； 

ihdludih^ "the dolurvth hdmes 
ahd theiv- daid types. 


TKc 

s*tcf >s dov\c! 



Use ALTER to add a screenshot 

column to the table- 
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Tesr DriVq 


Add the screenshot column to the guitarwars table. 

Using a MySQL tool, execute the ALTER statement to add the screenshot 
column to the guitarwars table. Then issue the DESCRIBE statement to 
take a look at the table structure and make sure the column was added. 


|ssu'm^ PKCR 邮 
s*ba*teme\rrt v-cvcals 

sCrcc 灼 shcrt tolum 灼 . 


_£j[e Edit Window Help OU812 


mysql> DESCRIBE email list. 


Field 

id 

date 

name 

score 

screenshot 


Type 


Null 


Default 


Extra 


int (11) 
timestamp 
varchar(32) 
int (11) 
varchar (64) 


— I - 


NULL 

CURRENT_TIMESTAMP 

NULL 


auto increment 


5 rows in set (0.03 


■+ - +-- 


sec) 


You 匕如 £.o^s-t\rud"t the 
•m’rtial Jui-tav-wav-s table 
by dow^loddma -the 

CoAt To\r 与 urta\r 

lA/ivs, "then 
七 he S6^L <^ucv-y m 
七 he -file gui-t3\rv/a\rs.s^|. 


Do new columns added with 
ALTER have to be added to the end of a 
database table? 

No, they can be added anywhere. But 
keep in mind that the order of the columns 
in a table isn't terribly important. In other 
words, you can structure query results so 
that data is organized in any order you want. 
But maybe you like the sense of structural 
order brought about by a specific ordering of 
columns, in which case you may want to add 
a column in an exact location. You can do 
this by tacking on the keyword FIRST to 
the ALTER query. Or use AFTER column 
to place a column relative to another column: 



ALTER TABLE guitarwars 

ADD COLUMN age TINYINT AFTER name 

If you don't specify where a new column is 
added, it defaults to the end of the table. 

What happens to the existing high 
score database rows of data after adding 
the new screenshot column? 

Since the ALTER statement only 
affects the structure of a database, the new 
screenshot column is empty for all 
pre-existing rows of high scores. While it's 
possible to populate the screenshot 
column of future rows, pre-existing rows all 
have an empty screenshot column. 


Can screen shot filenames still be 
added to the pre-existing rows? 

Yes, they definitely can, and you would 
use the UPDATE SQL statement to do so. 
There is nothing stopping you from manually 
uploading image files to the web server and 
then using UPDATE to fill in the screen 
shot filenames for existing scores. But 
remember that the whole idea here is user- 
submitted image files, so it makes sense 
to allow users to upload their own screen 
shot images. And they can do exactly this 
by using the improved image-powered Add 
Score script you're about to build... 
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add images with the add score form 


How do we get an image from the user? 


With a new column added to the high score database, we’re ready to 
focus on allowing the user to upload an image file. But how exactly is that 
possible? FTP? Mental telepathy? This actually leads back to the Add 
Score form, where we can use a form field to allow the user to select an 
image file to upload. 


^ ^ ^ CuitAfWart 


Adif ¥&4ir Son 


Guitar Wars - Add Your Score 

■NflflTHf: Hui ： Lar^Ltin 
5C0rC: IdGSBD 

沾 M UMI： fa^rF.Ir'i ^phifeii^r.Jir 



The Add Stove -fovm is allov/s 

usevs bo add d score *to 

{\\t 今 urtav l/Vavs Wi 价 sdov-c list 


TKc sfcdi-f its o-f *tKis bu*t*tov> av-c 
CoY\broWtd by i\\t >/cb bv-ov/sev- 
av\A *tKc native ofev-atm^ 
system. Usually *i*t *tv'i^cv-s a -f ile 
bvoy/sev dialog box. v/iicvc *tKc 

usev cav\ y»avi^a*tc b> *f’md a -file 

or\ -tKc'iv- Kavd dv-ivc. 


Wpoh submrttii^ "the 

七 he b*ma\ry ir^age -file is 
uploaded -to the scv-vcv-. 


7 細今 
1 moiod 〆 

jQiorfJ 

phizsscore.gif 


Web server 


So an input field helps the user find the file to be uploaded, then 
what? The file upload form field also takes care of the selected 
image getting uploaded to a folder on the server, where it can 
then be displayed as part of the Guitar Wars high score list. 

Is this file upload form field some kind of strange extension to 
HTML? No, not at all. The HTML 〈 input〉tag supports 
file form fields and works in conjunction with PHP to allow file 
uploads. But before we get into the PHP side of things, let’s take a 
closer look at the form field itself... 


j\ ^oldcv- ov\ *b^c 
vcdcWcs 
扣 d stoves \i a>w3Y 
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working with data stored in files 



The ^c^re f^Yvn Jjp Cl^se 


TW\s (orv^ attvibutc tells i\\t 
-Po\rw\ *to use 3 s^cC>i3l 
oH e^od'm^ rt<\\A\rtd (or -Pile 
ufloadm^ - it aWcdts \\o^i tV^c 
POST data is bundled a^d sent 

y/iicy\ -PoV'W' is subw'i*t*tcd* 



^s^blishcs ^ nn 3 xinr)um -Pile 
siz^ 4 \r -file uploads, ih -this 
從 dZ ⑼ (iZJbe bytes). 


TVis is a scl-f- 
VC-fcv-cr\^m5 -form. 


<form enctype= M multipart/form-data" method= M post" action= M <?php echo I $ SERVER['PHP SELF']; ?>"> 


<input 

type: 

= M hidden M name= M MAX FILE 

SIZE n 

value= M 32768 M 

/> 


<label 

f or =, 

▼name": 

>Name 

: </label> 





<input 

type: 

= M text 

M id= 

"name" name= M 

name" 

value= M <?php if 

(!empty($name)) echo $name; ?> M 

/> 

<br / > 









<label 

f or =, 

'score 

M >Score : </label> 





<input 

type= 

= M text 

M id= 

"score" name= 

"score 

M value= M <?php 

if (!empty($score)) echo $score; 

?> 

<br / > 









<label 

f or =, 

’screenshot 

M >Screen shot 

: </label> 



<input 

type: 

= M file 

M id= 

"screenshot" 

name= M 

screenshot" /> 




<hr / > 

〈input type= M submit M value= M Add M name= M submit" / > 
</form> 


TVic actual -file mfu*t -field ； 

y/Ki^ ultimately \rclics or> d 
^atwc ofevatm^ system dialog 
-fov -file bvoy/sm^ 3 r\d sclcdtior\. 


Change the Add Score 
form so that it uses a 
file input field to allow 
image file uploads. 
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store image filenames in the database 

filename 

Iwscrt the imag^iwto the database 

Simply uploading an image file to the web server via a form isn’t enough. 
We have to store the filename in the new screenshot column of the 
database so that the image can be accessed and displayed. As it stands, the 
Add Score script already inserts new high scores into the guitarwars 
table using the SQL INSERT statement, but this statement doesn’t factor 
in the new screenshot column: 


Image filenames are 
stored in tke ctataLase 

as part of an INSERT 

statement. 


INSERT INTO guitarwars VALUES (0, 
丁 he id dolumh gets set au-tomaii^ally via 

AUTOJHCRBMBtJT - -the O is \^ortd, 

although the <\uc\ry docs \rc^ui\rc a value hev-e. 



NOW( ) ； - $name - 


TV^ N01A/0 is used 

•to *mscv-t duv-v-ch*t date/ 

,'$score') 


Since this SQL statement is inserting values without identifying the 
column names for each, it must include a value for every column. But we 
just added a new column, which means the query no longer works — it’s 
missing a value for the new screenshot column. So adding a screen 
shot image filename to the database as part of a new high score row 
requires us to add a new value to the INSERT statement: 

INSERT INTO guitarwars VALUES (0, NOW(), ， $name 

Roy/s o-f ddid mscirtcd pnov *to i\\t 
addition c^f i\\t sCrtty\s\\oi dolumv> 

do^*t Kave a s 匕七 -f ilename. 

guitarwars 


"w~ 

date 

name 

score 

\ screenshot 

1 

2008-04-22 14:37:34 

Paco Jastorius 

127650 


2 

2008-04-22 21 :27:54 

Nevil Johansson 

98430 


3 

2008-04-23 09:06:35 

Eddie Vanilli 

345900 


4 

2008-04-23 09:12:53 

Belita Chevy 

282470 


5 

2008-04-23 09:13:34 

Ashton Simpson 

368420 


6 

2008-04-23 14:09:50 

Kenny Lavitz 

64930 


2008-04-24 08:13:52 

Phiz Lairston 

186580 

phizsscore.gif 


Passm^ sCrtCY\s\\oi 

INSERT 

ddds l*t *fco d3"t3l)3SC- 
$score', '$screenshot') 

Tiic ov-dev- o-f *bi^csc values 
matters s\v\Ct I NStRT 


ave m *biic sa^c order as 
七 toluwms m 七 


\ 


\ 


\ 


\ 


\ 


The Y\t^i INSERT sta*temwt \rcsul-b m the sdv-CC^shot 

msc\rtcd m*to the dolum^. 


Write a^iery to 
insert the screen 
shot image filename 

into the screenshot 

column of the table. 


\ 
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Find out the name of the uploaded file 

The query looks good, but we still don’t know what the actual filename 
of the image is. It’s fair to assume that the file input field in the form 
somehow provides access to the filename, but how? The answer lies in a 
built-in PHP superglobal variable named $— FILES, which is similar to 
the $_POST superglobal we’ve used to access form data. Like $_POST, 
$_FILES is an array, and within it is not only the name of the uploaded 
file, but also some other information about the file that might prove useful. 



〈input type="file" name="screenshot" /> 


TVlC -Pov-m passes some 
usc-ful about 

-f lic *to -t^PHP 

stvift ^>3 f 一 

supcv"^lok 3 l vavidblc- 



I …。，。彳 

ooiorm 

phizsscore.gif 


丁 his is -the "file 

kci ^9 uploaded thanks 
"to "the -Pile ihpu*t 
-field *m -the -fov-m. 



Tlie MILES 

tuilt-in supergflotal 
variable provictes 
access to iniormation 
about uploaded files. 


FILES['screenshot 1 ] ['name ’ 

phizsscore.gif 



"The o-P "the 
uploaded -Pile- 



FILES['screenshot ? ]['type'] 

image/gif 卜 

^~The N\\t^ o 

unloaded Vile, 
•m *tKis fi.3sc ^IF- 

$_FILES[▼screenshot▼][▼size▼ : 

12244 


The s\z£ (ih bytes) 

of uploaded -file. 


FILES['screenshot']['tmp_name 1 ] 

/ tmp/phpE7qJky 



Tiic -tcw'fovavy 

location o-f 

•bKc -file oh -tKc sevvev. 


screenshot▼][▼error 1 ] 

n TKc c\r\rov todc -fov -file 

u^loddij 0 d s\aCCcsS) 

o*t^cv" values mdi 匕 ate -failuvc- 


The other information made available in the $_FILES variable is 
certainly useful, but right this moment, we just need the name of the 
image, which can be stored away in a local variable ($screenshot) and 
used in the SQL INSERT statement. 






m 


$screenshot 


FILES['screenshot']['name']; 
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keep external file data in external files 


O 



Wait a minute, were only 
storing the name of the 
image file in the database., 
what about the file itself? 




LJ-- I- 

»_!= 酬 


Unverified 


1S6SS0 

Ltlfwoci 

Dmw 


Data stored in external files is typically left in external files, 
even in database applications. 

In this case, the data is a collection of pixels that make up an image, which is stored 
in an external file — a GIF, JPEG, or PNG image file. Databases excel at storing text 
data, not raw binary data such as images, so it’s better to just store a reference to 
an image in the database. This reference is the name of the image file. 

Another reason images in web applications aren’t stored in databases is because it 
would be much harder to display them using HTML code. Remember that HTML 
code references images from external files using filenames. So generating an image 
tag in HTML involves using an image filename, not raw image data. 


<img src= M phizsscore.jpg" alt= n Score image" / > 


Placing an image 
on a wet page only 
requires a relerence 
to tke image iile. 


The irvtdQe 

-rilchamc 



TV^c HTML <\^> uses 

"imay _ 

•bo *biiC iw'Sy -rile 


OY\ 


■bilC v/cb scv-vc\r. 



phizsscore.gif 
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rperi your pencil 


The main Guitar Wars page (index . php) still isn't displaying screen shot 
images for the high scores. Finish the code so that it shows the images. 


<?php 

// Connect to the database 

$dbc=mysqli—connect('www•guitarwars•net', 'admin 1 , 'rockit ', 'gwdb'); 

// Retrieve the score data from MySQL 
$query = ; 

$data = mysqli—query($dbc, $query); 

// Loop through the array of score data, formatting it as HTML 
echo '<table>'; 

while ($row=mysqli—fetch—array($data)) { 

// Display the score data 

echo ' <tr><td class="scoreinfo"> '; 

echo '<span class= M score n > ' . $row [ ' score ' ] . ' < / spanxbr / > '; 
echo '<strong>Name:</strong> ' . $row[* name'] . '<br / >' ; 
echo '<strong>Date:</strong> ' . $row['date'] . '</td> *; 
if (is—file( ) && filesize ( ) > 0) { 

echo ' <tdximg src=" ' . . ' " alt="Score image" /></tdx/tr> '; 


else { 

echo ' <tdximg src= M unverified .gif" alt="Unverified score" /></tdx/tr> '; 

} 

} 

echo '</table>'; 

mysqli_close($dbc); 

?> 
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sharpen your pencil solution 


(^Sharpen your pencil 

Solution 


The main Guitar Wars page (index . php) still isn't displaying screen shot 
images for the high scores. Finish the code so that it shows the images. 


<?php 

// Connect to the database 


卜 a move -to keif simpli*fy i\\C Code, wcVc v\oi usmj W ov- 
dl〆)” *to pvodutc CV"V*OV messages 3 ir>d c%l*t Sdv.lf 七 
a myscyli ^uy>dtioy> (a\W You may v/ar>*t -to do^tmuc 
•mdudmg -this dodc *m youv ovm applications but >wcVc 
^o'm^ *fco skip i*t -fv-om ov\ *fov sake bvcv*i*ty. 


$dbc=mysqli—connect('www•guitarwars•net', 1 admin', 'rockit', 'gwdb 1 ); 


// Retrieve the score data from MySQL 
$ query = “SELECT 决 FROM Juitav-y/av-s^ 



$data = mysqli 一 query($dbc, $query); 


TKc S 公 L sta 七加⑼七 v-c«\ucsts 

SdoVCS doesn't 3 七 dll! 


// Loop through the array of score data, formatting it as HTML 
echo '<table>'; 


while ($row = mysqli_fetch 一 array($data)) { 
// Display the score data 


echo ' <tr><td class="scoreinf o M > * ; . 

丁 Wis -fuy\ 6 *b*oy\ dV^cdks 

echo '<span class="score"> ' . $row [ ' score ' ] . ' < / spanxbr / > ' ; ^ suve 

echo ' <strong>Name : </strong> ' . $row [ ' name ' ] . ' <br / * sdvccirv sV^o*b 

^ 0000 0»- 0t0 " 000000000l0>0> ^ •kv\’ 4 * Cw'F't-V » 

echo '<strong>Date:</strong> ' . $row['datej^^r r </td>'; 

if (is 一 file ( fvov/C'sdvcc^shoV] ) && filesize ( fv-oy/C^sdv-cc^shoV] 〉 0) — 


>1 


echo ' <tdximg src=" 1 . 

This -Puh^tioh dhc^ks -to see 
hot in，a 9 c Uc anally exists. 




alt="Score image" / ></tdx/tr> 


s 

else 






TV 


sert^oi dolumrt database shoves 


七 he sCrttv\ sho 七 -for a 5 >vcr\ sdovc- 


echo ' <tdximg src=" unverified .gif" alt="Unverif ied score" /></tdx/tr> '; 


echo '</table>'; 

mysqli_close($dbc); 
?> 



Guitar Wars page 
to show screen 
shot images for 
the high scores. 
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Tesr DriVq 


Add a new high score to Guitar Wars，complete with a 
screen shot image. 

If you haven’t already done so, download the Guitar Wars example code from the 
Head First Labs web site at www. headf irstlabs . com/books/hfphp. It’s 
in the chap ter 05 folder. The code consists of the main page (index. php), the 
Add Score script (addscore. php), and a style sheet (style. css). 

First you need to change the adds core • php script so that its Add Score form 
supports file uploads. This includes adding new form fields, adjusting the <f orm> 
tag, and checking to make sure the $ screenshot variable isn’t empty. Then 
incorporate the new high score INSERT query into the script. 

Now shift to the index . php script, and add the new code from the facing page 
so that it displays the screen shot image for each high score. 

Upload all of these files to your web server and open the adds core • php page 
in a web browser. Enter a new high score in the form, and click Submit. Then 
navigate to the index . php page and take a look at the new score. 


Sorwcthihg v-ight/ Th( 
doesn't appear with 
the hew sdovc as expected- 



36S420 

Naflfies AjsIubb Simpson 
U 纛 W: 3U0H4>f-23 WL3. ^ 

64930 

Kcnay Lavfe 

1S6SS0 

fiamw. rhi ， tJ.in.HHi 
lijbe: OS'- - 

"b J 




Why do you think the screen shot image doesn't 
show up for the new score? What about for the 
scores that were already in the database? 
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uploaded files are stored in a temporary folder 


Where did the uploaded file go? 


The problem with the uploaded image not appearing is that we made an 
assumption that the file would be uploaded to the same folder on the web 
server as our PHP scripts. As it turns out, this assumption is dead wrong. 
The Add Score form lets the user select a file from their own computer, 
but the file is actually uploaded to a temporary folder on the server. 
The temporary folder is created automatically on the server and usually 
has a weird name with a bunch of random letters and numbers. 

This presents a problem for our <img> code in index . php because it 
assumes the image is located in the main web folder: 

<img src= n phizsscore.jpg" alt= n Score image" / > 



Tiiis toAt assumes 
is s*to\rcd m 

md'rn y/cb -foldcv v/iicv-c 

i\\t PttP -f iles avc 

s*bovcd -bu*t i*t 



Client web 
browser 




Web server 


TW«S -tcm^ovavY 
jfoldcv v\awc av'd 
lota 七，。灼 d 七 a 

pH? mstalla*t'«ov\. 



phpE7qJky 

L i 


^yle.css 
addscore.php 
index.php 


The sd\TCCh shot 
-Pile be^ihs ih 
-foldc\r oh the 
s ComputeV-. 


ioiotji} 
phizsscore.gif 



addstov-c is 
Ny/Kcv-C -tV^'lS +OV-m 


Joiorrj 
phizsscore.gif 


ovi^m 


'mates. 


The Add Sdov-c 

takes dav-c o-f i 
-Pile -to a 


^o\dtY Oh the SCV-VCV-. 


Wlp 七 

iploadihj 七 he 

tcrupovav-y 
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working with data stored in files 


♦ 



Storing images in a cryptic temporary folder 
seems like an unnecessary hassle. Can we 
control where the uploaded files are stored? 


Yes! PHP lets you control where uploaded files are stored. 

However, you can’t control the initial storage location of uploaded files with PHP, 
which is why the location is considered temporary. But you can move a file to another 
location after it has been uploaded. The PHP function move—uploaded—file () 
accepts the source and destination locations for a file, and then takes care of the moving: 

move uploaded file($ FILES['screenshot'] [* tmp name'], $target); 


TVis is i\\t souvtc location o 
■bempov-av-y pa*bV^ and -filename 



Web server 



This is the 
dcstihatioh lodaiioh 
o( the 

•Pile, ih^ludmg the 
path 
-Pilchamc. 




/ 


/ 


"score, php 
index.php 

丁 his -Poldcv- cby\ be a^y -Poldcv- 
you choose ov\ the web scv-vcv*, 
just make su\rc you 
pCVrwissioh -fco wvitc -Piles -fco it. 



T\,t (\\t is 
moved -fv-om 
a 七 

-foldcv- *to a \ 

pc\rmar\Cr\*t 
-foldcv-. 



phpE7qJky 

W ■ 


m ove uploaded 一 file () 

⑽加 

jQlorjJ 

phizsscore.gif phizsscore.gif 


JfliDl 
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tliereiare no ^ 

Dumb Questions 


Q/ Can't I change the initial storage location of uploaded 
files by modifying the php. ini file? 

Yes. The PHP initialization file (php.ini) can be used to 
change the initial storage location of uploaded files through the 
upload—tmp—dir option. But if your application is hosted on 
a virtual server, you may not have access to this file, which means 
you'll have to move the file to your own folder via PHP script code. 

Why is the initial upload folder called a "temporary" 
folder? Does it go away after a file is moved? 

No. The folder is "temporary" in a sense that it isn't intended 
to serve as the final storage location for uploaded files. You can 
think of it as a holding area where uploaded files are stored until 
they are moved to their final storage location. 

Why can't I just leave a file in the temporary folder? 

You can, in which case you'd need to add 
$ FILES [ ' screenshot' ] [ ' tmp_name ' ] to 
the path of the image to make sure it is found in the temporary 
folder. But keep in mind that you don't typically control the name 
or location of the folder. Even more important is the fact that 
temporary folders can be automatically emptied periodically on 
some systems. Another potential issue is that the temporary 
upload folder may not be publicly accessible, so you won't be able 
to reference uploaded files from HTML code, which is the whole 
point in Guitar Wars and most other PHP applications. By moving 
uploaded files out of the temporary upload folder, you can carefully 
control exactly where they are stored and how they are accessed. 


working with data stored in files 


OK, so now I know how to 
move uploaded files around. 
That's really special. But I 
still don't have a clue where 
they are supposed to go. 


Every application needs an images folder. 

OK, maybe "need" is a bit strong, but it’s important to organize the pieces 
and parts of PHP applications as much as possible, and one way to do so 
is to create folders for different components. Since uploaded images are 
submitted by users, they aren’t something you typically have direct control 
over, at least in terms of filenames and quantity. So it’s a good idea to 
store them separately from other application files. 

All this said, we need an images folder, where image files that are 
uploaded to the Guitar Wars application are stored. This folder can also 
serve as the storage location for any other images the application may use, 
should the need arise. 

T\)C images -foldcv- \sr!i 

anally bijyv- 。七 her 

-folders, but \i 

-files m*to ov\t pUde. 
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make a folder for uploaded images 


Create a home for uploaded image files 

The images folder is just like any other folder on the web server except 
that it must be placed somewhere beneath the main web folder for the 
application. It’s usually fine to just place the folder directly beneath this 
web folder, but you’re free to create a more complex folder hierarchy if 
you want. 

With the images folder created immediately beneath the main web 
folder on the web server, it becomes possible to reference image files from 

within PHP scripts like this: tl . r.i 

_ I nc irwoigc Tilehdme is 

-to the path 

$target = GW UPLOADPATH . $screenshot; 


TKis is y/cb -foldcv -fov i\\t 

df>f>lidd*tioy\ PttP s£.\rip*ts 

avc s*tovcd) . 


fimagesjphizsscore.gif^) 


The $ target path is built out of a new constant we’re 
going to add to the script called GW—UPLOADPATH, which 
holds the path to our images folder. Like a variable, a 
constant stores a piece of data. But the value of a constant 
can’t change once it’s set. The image filename as entered 
into the Add Score form is then concatenated to the 
images path. 



Web server 


"The images -Poldcv- 
•_s typically flawed 
just beneath -the 
web -Poldev-. 





index.php 


¥atck it! 


If your PHP application is 
hosted anywhere other 
than your local computer ， 
you'll need to use FTP to 
create the images folder. 


Use an FTP program to access the file 
system of your web site and create the 
images folder beneath the web folder of 
the application. 


Uploaded 

^'ilcs av-C moved *to 如吻 3 

images -foldcv-) 

phizsscore.gif 

be displayed Via 

HTML <Wj> tajs 



ON J l 


phizsscore.gif 




move uploaded file( 


FILES['screenshot']['tmp name'] 


$target) 
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working with data stored in files 


BE th^ 吵 如妙 

Your job is to play tire role of an uploaded 
screen shot irn^e file and plot your patii 
through tke Guitar Wars ^plication. 

^ Draw your path tlirough 
,WjlE each part of Ae application, 

making sure not to forget 
* ^ a ^ase. TBrik liKe an 

uploaded file! 



Web server 



Start V^cvc! 


Client web 
browser 



phpE7qJky 



i6m D| 
movocJ 

細。 

iginrjJ 
phizsscore.gif 


D| 

moiod 

jQi&riJ 

phizsscore.gif 


move—uploaded-file () 


phizsscore.gif 



$screenshot = $_FILES['screenshot'][ 


^ RT into guitarwars VALUES (0, NOW() , '$name、 score \ »$screenshot») 


guitarwars 


"id" 

date 

name 

score 

screenshot 

1 

2008-04-22 14:37:34 

Paco Jastorius 

127650 


2 

2008-04-22 21 ： 27:54 

Nevil Johansson 

98430 


3 

2008-04-23 09:06:35 

Eddie Vanilli 

345900 


4 

2008-04-23 09:12:53 

Belita Chevy 

282470 


5 

2008-04-23 09:13:34 

Ashton Simpson 

368420 


6 

2008-04-23 14:09:50 

Kenny Lavitz 

64930 


7 

2008-04-24 08:13:52 

Phiz Lairston 

186580 

phizsscore.gif 
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be the uploaded image file solution 



BE . 如妙膝 

Your job is to play tire role of an uploaded 
screen shot image file and plot your patii 
through tke Guitar Wars ^plication. 

Draw your patii 
each part of Ae application, 
making sure not to forget 
{ire database. Think li^e j 
uploaded file! 


Web server 


an 





The 6 fW s-ta^ds (or 

与 ui*tav* iVavs 扣 d mdi^d'kes 
tha 七 this is 3 iY\ applitatioh- 
Spcdi-f id ^Ohs-ta^-t. 


Client web 
browser 



This -foldcv- »s 

oy\ 七 he usev"’s / 

tompu*tcv - you 

iidve v\o 乙 orrbrol 

ovcv y/iia*b >Vs 

tailed or wiicvc 
•，Vs sW, phizsscoragif 

do you 

cart- 



V^u UYt a \oi abou-t -the 
如 d lodatioh o-f -this 
(older because it is used 
throughout ^uitav- lVav-s 

"to s-to\rc ahd >rt^tYtr\tt 
uploaded image -files. 


fiv-sj) *bV^c -file >s uploaded 
us'm^ d mfu 七 *vo\rm -field- 



7 細 E^j ^ 

jQlPfjJ 

phizsscore.gif 




INSERT INTO guitarwars VALUES (0, NOW() , ， $name\ ^ score ^ ’ Screenshot ’） 


phizsscore.gif 

Se 匕 o— the -file is moved -fv-om 
the ie^o\ra\ry upload -foldcv- -to 

the images -Poldev-. 


A-f*bcv- {\\t *f»lc is uploaded 
-to {\\t scv-vcv- and moved 
■to its -pmal s-bov-ajc 
lotatio^, I*b Y\^nst jc*b \ 
added *to da'tabasc. 


Whew! 


O 


0 




addscore.php 


Yep, "this is a new step wc 
didh’ 七 pbh Oh c^vlicv- — 
you\r design rwus-t be -flexible/ 


Move the uploaded 
image file from a 
temporary upload 
folder to a permanent 
folder for images. 


guitarwars 


id 

date 

name 

score 

screenshot 

1 

2008-04-22 14:37:34 

Paco Jastorius 

127650 


2 

2008-04-22 21 ： 27:54 

Nevil Johansson 

98430 


3 

2008-04-23 09:06:35 

Eddie Vanilli 

345900 


4 

2008-04-23 09:12:53 

Belita Chevy 

282470 

— 

L 

5 

2008-04-23 09:13:34 

Ashton Simpson 

368420 


6 

2008-04-23 14:09:50 

Kenny Lavitz 

64930 


， 7 

2008-04-24 08:13:52 

Phiz Lairston 

186580 

phizsscore.gif n 
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working with data stored in files 




Tesr DriVq 


Give uploaded screen shot images a permanent home in their own 
image folder. 

Modify the adds core • php script to use the GW—UPLOADPATH constant and store uploaded 
screen shot images in the path it points to. Here’s a peek at the code that needs to change: 


<?php 


LL Fi-f 

(define 


n^-F-i mo the upload path and maximum file size constants 
( 1 GW_UPLOADPATH * , 1 images" )T^ 


if (isset($_POST[ f submit 1 ])) { 

// Grab the score data from the POST 
$name = $_POST[ 1 name 1 ]; 

$score = $_POST[ 1 score 1 ]; 

$screenshot = $ FILES[ ， screenshot ， ][ ， name，]; 


if (!empty($name) & & !empty($score) && !empty($screenshot)) 
// Move t-hp fi 1 ^ to the target upload folder 
$target =(^W_UPLOADPATH screenshot; 
if (move_upioad^d_rilb* (' 


工 LES[ 1 screenshot 1 ] [ 1 tmp_name 1 ], $target)) 
// Connect to the database 


$dbc = mysqli connBct ( 1 www. guit8.rwa.rs . net 1 f 1 8.dinin f , 1 rockit 


1 gwdb 1 ) 


// Write the data to the database 

$query = "INSERT INTO guitarwars VALUES (0, NOW(), 
mysqli_query($dbc, $query); 


$name' 


$score 1 


$screenshot 1 )"； 


// Confirm success with the user 

echo 1 <p>Thanks for adding your new high score!</p> ! ; 
echo 1 <p><strong>Name : </strong> 1 • $name • 1 <br />，； 

echo —^ f - • 1 <br / > f ; 

echo 1 <img src=" 1 .^GW_UPLOADPATH !j$screenshot • ,n alt= n Score image 1 

Back to high scores</a></p> 1 ; 


/></p> , 


echo 1 <p><a href: 


'me 


,pnp- 




addscore.php 

The index . php script is also affected by the GW_UPLOADPATH constant. Don’t forget to 
change it as well. After making these changes, upload the scripts to your server and try adding 
a high score again. 




I ai *1 


Unverified 


The U uhvc\ri-picd w 
is displayed (or older 
s^o\rcs tlioi-t have 
a sdvcch shot ii^el^e- 


The uploaded 

shot is how visible 

ov\ 七 he mdm pay. 





Guitar 


Bfl • 韁 1 ■ 

I PdIZi 

通 i 晷 a 
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more no dumb questions 


thereicire no o 

Dumb Questions 


If the php. ini file can be 
used to control the storage location of 
uploaded files, why is it necessary to 
move the file? 

Because it isn't always possible to 
change php.ini. For example, if you're 
building a PHP application on a virtual 
web server, you very likely won't be able to 
change the settings in php.ini. And even if 
you are able to change php.ini, you run the 
risk of breaking your application if you ever 
need to move it to another server. In other 
words, the application will be dependent on 
a path controlled by php.ini, as opposed to a 
path controlled by your own PHP code. 

Why isn't the date something that 
users can enter in Guitar Wars? 

The date is an important part of a high 
score in that it establishes when a score 
was officially posted to the site. Like any 
record, the first person to achieve a certain 
score gets all the glory. Rather than trust a 
user to tell us when they achieved their high 
score, we can just use the post date/time 
as the official recording of the score. This 
eliminates bogus dates and lends more 
credibility to the high score list. Users of 
such a competitive application will always be 
looking for an angle, so eliminate as many of 
them as you can! 

It is worth pointing out that the NOW () 
function uses the time on the web server, 
which may not be the same as the user's 
local time. This shouldn't be a problem, 
however, since all users are held to that 
same server time. 

Databases are great lor storing 
text Jata , tut it’s usually 
tetter lor tkem to reference 
binary data in external liles. 


Could we have stored the actual 
image data for an uploaded high score 
screen shot in the Guitar Wars database? 

Yes. Databases are very flexible and 
allow you to store binary data within them. 
However, the big problem in this case is that 
Guitar Wars uses the uploaded images in 
HTML code so that they can be displayed 
on the main index.php page. The HTML 
<img> tag is designed to reference an 
image file stored on the web server, not 
a chunk of binary image data stored in 
a database. So even if you altered the 
guitarwars table to hold binary image 
data, you'd be facing a significant challenge 
trying to get the data back into a format that 
can be displayed using HTML code. 

Thcirc s "tcv-vibly special 

about "the \rctuVhcd by the 

-Puh^tioh o-thcir -thah -the 
七 hat it souir^s uhic^uc humbcv-s...thc 

仙州 berm rt \rc-tuirhs is always yro^l 

BULLET POINTS - 

■ The alter statement is used to change the 
structure of a MySQL database table, such as 
adding a new column of data. 

■ With a little help from PHP and MySQL, an HTML 
<input> tag can be used to upload image files. 

■ The superglobal variable $_files is where 
PHP stores information about an uploaded file. 

■ The standard PHP function move—uploaded— 
file () allows you to move files around on the 
web server and is critical for handling uploaded 
files. 

■ Most web applications benefit from having an 
images folder for storing images used by the 
application, especially those uploaded by users. 


Isn't it possible for people to 
overwrite each other's screen shot 
images by uploading image files with the 
same names? 


A 


Yes. The problem has to do with the 
fact that the screen shot image stored on the 
web server uses the exact same filename 
provided by the user in the file upload form 
field. So if two users upload image files with 
the same filenames, the first user's image 
will get overwritten by the second user's 
image. Not good. One solution is to add a 
degree of uniqueness to the image filename 
on the server. A simple way to do this is to 
add the current server time, in seconds, to 
the front of the filename, like this: 


$target = GW_UPLOADPATH 
$screenshot; 


time() 


The result of this code is a filename of 
1221634560phizsscore.gif instead of 
phizsscore.gif, where 1221634560 is the 
current time on the server expressed in 
seconds. 
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working with data stored in files 



I like that the file upload path is stored 
in a constant, but why is it created in 
two places, index.php and addscore.php? 
What happens if the path changes? 


The ^JAPLOAVPATW 

乙 Ohshh 七 s-fcoircs dwdy 
七 he *file upload path -fov- 
shot images. 


dc-f i^cO »s used *to 
Create 6 <wstairrU. 


define('GW 一 UPLOADPATH ’, 
_"The o-f 

"the ^OhS-taht 




images/'); 


TV value o-f i\\t toY\siar\i^ 
yMxcM cav\ yvcvcv- Aa 乎 ..’ 七 5 
tov\s*tay\*t! 


If the path changes, you have to change the code in 
two places...duplicate code is a bad thing! 

So within each of the index . php and adds core • php scripts, the 
GW—UPLOADPATH constant works great. But the constant is duplicated 
in each script, meaning that any change in the path must be updated in 
each script. This kind of code duplication is bad design and should be 
eliminated whenever possible. 







Dulinr fh 一 path constant 

define (' GW_UPLOADPATH' , ' images/ ' ) 



Tl^c doir\s*ta^*t is s*tovcd *bwidc, i*t hds 

*to be rv\d'm*td'med'm *two places. 


index.php 





To solve the duplicate code 
problem, we need to store the 

gw_uploadpath constant 
in a single place. Would you 
store it in index. php or 
addscore. php? Why? 
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sharing script data with include files 


Shared data has to be shared 


When it comes to data that is shared across multiple scripts in an 
application, you need a way to store the data in one place and then pull 
it into the different scripts. But that still doesn’t answer the question of 
where exactly the data should go...? 

You could store the data only in index.php— 



index.php 


Skarect script data 
needs to te accessitle 
tltrougliout an 
application witkout 
code duplication. 


...but then other scripts wouldn't have access to it. 


Dude, where's 
my data? 


So storing shared script data in an existing script file doesn’t really work 
because the data isn’t really shared any more. The answer lies in somehow 
making the data accessible to multiple scripts but without directly storing 
it in any of them. 



addscore.php 




index.php 

How can you make the data accessible to both 


scripts without storing it in either of them? 



addscore.php 



The solution to shared script data lies in include files, which are PHP 
source code files that are inserted into other PHP files as needed. 
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working with data stored in files 


Shared script data is required 

Include files are very powerful because you create them once but then 
reuse them as needed in other script files, effectively sharing the code 
within. The GW—UPLOADPATH constant can be placed within an include 
file to establish a collection of "application variables." 


Include iiles 
allow you to 
skare code across 


multiple scripts. 



The siaie^i 

£ ， 3\rc o-p ih^ludih^ 3 

withih aho-thev- s 〜 ip 七 . 


index.php 


l^lud'm) afpvav-s.pV)\> m o-tV^cv- 
shifts allows {\\ost sdrifU *to 

share data m 


there ^ are no o 

Dumb Questi9ns 


Hey, aren't these application "variables" really constants? 

Sometimes, yes. But that's OK. The point is not to split hairs 
over variables vs. constants. Instead, we're just trying to establish a 
common place to store shared script data within a given application. 
And that place is a script file called appvars.php. 


Is code in shared script files limited to data? 


No, not at all. Any PHP code can be placed in its own script 
file and shared using the require_once statement. In fact, it's 
very common for applications to share lots of functional code across 
multiple script files. Not only is it common to use shared script files, 
but it's often a great idea in terms of code organization. 


Why is the PHP statement to include script code called 
require—once? 

The name "include file" comes from a PHP statement called 
include that is very similar to require_once. The 
difference is that require—once results in an error if the 
include file cannot be found— include won't reveal an error if 
an include file is missing. Also, the "once" in require_once 
means that it keeps a file from being accidentally included more 
than once. You sometimes see include used instead of 
require—once to include code that isn't as important, such 
as pure HTML code that doesn't perform a critical purpose. PHP 
also has include—once and require statements that are 
variations on require once and include. 
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the require_once statement 


Thiwk of 


require once 


as ,, msGrf 


Includes aren’t limited to one shared PHP file, and they can appear 
anywhere you want within a script. You can think of the require once 
statement as an "insert" statement that gets replaced with the contents 
of the script file it references. In the case of Guitar Wars, the database 
connection variables could also benefit from being moved into an include 
file. So the contents of two shared script files are inserted directly into 
other script files at the points where they are required. 


This global viable holds 
irwpo\rtaht affli^iioh 
(Jd'td that both ihdex php 

adds 匕 heed- 




Ra*t^c\r duplicate 

ddidbdse dormedtio 扒 
vavidbles m cvcvy sdvift, 

匕 a 於 move tlicm *to By\ mdude 
-f ile dr\d s\iav-C -tKcm. 


connectvars.php 


Tke REQUIRE_0NCE statement inserts 
skarect script code into otker scripts. 
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working with data stored in files 


<?php 



// Define application constants 
define('GW_UPLOADPATH', 'images/'); 


// Define database connection constants 
define('DB—HOST', 'www.guitarwars.net'); 

define('DB—USER 1 , 'admin'); 
define('DB 一 PASSWORD', 'chiefrocker'); 

define('DB_NAME ', 'guitarwarsdb'); 


// Connect to the database 

$dbc = mysqli 一 connect(DB—HOST, DB_USER, DB_PASSWORD, DB 一 NAME); 


I 

_i 

1 


J 


// Retrieve the score data from MySQL 
$query = "SELECT * FROM guitarwars"; 
$data = mysqli 一 query($dbc, $query); 


// Loop through the array of score data, formatting it as HTML 
echo '<table>'; 

while ($row = mysqli—fetch—array($data)) { 

// Display the score data 

echo '<tr><td class="scoreinfo">'; 

echo ' <span class = "score"> ' . $row [ ' score ' ] . ' </spanxbr />'; 
echo 1 <strong>Name: 〈 /strong 〉 ' . $row['name'] . '<br />'; 
echo '<strong>Date : </strong> ' . $row['date'] . '</td>'; 
if (is—file(GW—UPLOADPATH . $row['screenshot']) && 

filesize(GW_UPLOADPATH . $row['screenshot']) >0) { 

echo ' <tdximg src=" ' . GW_UPLOADPATH . $row [ ' screenshot']. 

'"alt="Score image" /></tdx/tr>'; 

} 

else { 

echo ' <tdximg src='" . GW_UPLOADPATH . ' unverified .gif'. 

'"alt="Unverif ied score" /></tdx/tr> '; 


echo '</table>'; 


mysqli_close($dbc); 

?> 




Tesr DriVq 


index.php 



addscore.php 


X Move the file upload path 
to a constant that is 
shared via an include file. 



Create two include files for Guitar Wars, and then share them among 
the other scripts. 

Create two new text files, appvars . php and connectvars . php, and enter the code for 
them shown on the facing page. Then add require—once statements to index . php and 
adds core • php so that both shared script files are included. Upload all of the scripts to your 
web server and try out the Add Score form and main page to make sure they still work with the 
new and improved include file organizational structure. 
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the ORDER SYsfafemefif 



is everything with high scores 


Guitar Wars is finally image-powered, allowing users to upload screen shot 
images to help verify their high scores. While this is a major improvement 
to the application, it hasn’t solved a problem that users have actually been 
grumbling about for quite a while — the order of the scores on the main page. 




It’s true, the scores aren’t in order. They are being displayed in whatever 
order they’re stored in the database, which is entirely arbitrary. You should 
never rely on the order that data is stored in a database unless order truly 
doesn’t matter. In this case it does, so we need to impose some order on 
the query results. The ORDER BY SQL statement makes such ordering 
possible. 


Phii digs hc\r sdvcch 
shot vc\ri-Pidatioh bu-t 
is a little rwi-P-Pcd ovc\r 
gettihg slotted at 

the bot-tom o-p -the 
high sdo\rc list despite 


Add'm^ a mevj stove 
y \ o\n mvolvcs a 


… whidh looks jv-ca-t e 乂匕 ep 七 
"the s£.o\rcs a\rc^-t m ov-dev*^ 


CuiUr 






I m stoked on having the only score 
with a screen shot image, but why is 
my score at the bottom of the list? 


㈣ 势 

Lid 


Ufiveri fieri 
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working with data stored in files 



PHP& MySQL Magnets 

See if you can figure out how ORDER BY works by using the magnets below to create ordered 
SELECT statements that result in the output below. Also circle which query you think represents 
the best fix for Guitar Wars. Hint: ASC stands for ASCending and DESC stands for DESCending. 



The c^uev-y results ave vc*tuvir>cd 

ovdev - by sdovc, 
ay>d *tKcv> *m asdcrxJ'm^ ovdev- by da*tc 


The <\uc\ry \rcsults a\rc \rctuv-hcd ih 
alphabetical ov-dev- by 


File Edit Window Help YYZ 



+- + -- 


screenshot 


I 7 
I 1 
I 2 
I 6 

H I — 


2008-04-23 

2008-04-23 

2008-04-23 

2008-04-24 

2008-04-22 

2008-04-22 

2008-04-23 


13:34 
0 6:35 
12:53 
13:52 
37:34 
27:54 
14:09:50 


Ashton Simpson 
Eddie Vanilli 
Belita Chevy 
Phiz Lairston 
Paco Jastorius 
Nevil Johansson 
Kenny Lavitz 


368420 

345900 

282470 

186580 

127650 

98430 

64930 


phizsscore•gif 










7 rows in set (0.0005 sec) 
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php & mysql magnets solution 


PUP & MySQL Magnets Solution 


See if you can figure out how ORDER BY works by using the magnets below to create ordered 
SELECT statements that result in the output below. Also circle which query you think represents 
the best fix for Guitar Wars. Hint: ASC stands for ASCending and DESC stands for DESCending. 



File Edit WindowHelpYYZ 

SELECT 


mysql> 


FROM 


guitarwars I ORDER BY 画 name 


+ -+- 

I id I date 

+ - +- 

I 5 I 2008-04-23 

I 4 I 2008-04-23 

I 3 I 2008-04-23 

I 6 I 2008-04-23 

I 2 I 2008-04-22 

I 1 I 2008-04-22 

I 7 I 2008-04-24 

+-+- 




name 


score 


screenshot 




■ — — — -j - 




09:13:34 

09:12:53 

09:06:35 

14:09:50 

21:27:54 

14:37:34 

08:13:52 


Ashton Simpson 
Belita Chevy 
Eddie Vanilli 
Kenny Lavitz 
Nevil Johansson 
Paco Jastorius 
Phiz Lairston 


368420 

282470 

345900 

64930 

98430 

127650 

186580 


phizsscore.gif 





■ — — —J— 


7 rows in set (0.0005 sec) 


The c^uev-y vcsulis av-c vc*tuvir>cd 

y>umcv"'id3l ovdev - by sdovc； - 
a^d *tKcv> ovdev- by da*tc* 


The ^ucv-y v-csults 

alphabetical ov-dev- by 


TV^'is »s <\uc\ry wc 
i^T v\ttd bo t 


mysq]^ 


SELECT 


FROM 


guitarwars I ORDER BY 


-l - 1 - 


date 





name 


-I - 1 - 


score 


screenshot 


2008-04-23 

2008-04-23 

2008-04-23 

2008-04-24 

2008-04-22 

2008-04-22 

2008-04-23 


09:13:34 
09:06:35 
09:12:53 
08:13:52 
14:37:34 
21:27:54 
14:09:50 


H I — 


Ashton Simpson 
Eddie Vanilli 
Belita Chevy 
Phiz Lairston 
Paco Jastorius 
Nevil Johansson 
Kenny Lavitz 




- + 


368420 

345900 

282470 

186580 

127650 

98430 

64930 


phizsscore.gif 






7 rows in /feet (0.0005 sec) 


The ov-dev-'m^ by da*tc is sedo^davy ar>d o^ly applies 

when ave 七 v/o idc^*tidal sCorts, v/hidh does 的七 

haff 伙 bu*t is likely m a lav-^c dd*bd sc*t. 


The ConwmB is vc^uivcd 
■to scpa^a-tc -the -two 
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260 


Chapter 5 
























working with data stored in files 


Honoring the top ftuitar Warrior 

With the order of the scores fixed, it’s now possible to make an 
unexpected improvement to the high score list by calling out the highest 
scorer at the top of the list. The top scoring Guitar Warrior deserves a top 
score header that clearly displays the highest, score, so there is no doubt 
who the top Guitar Warrior is... and what score to gun for. 


A "top sdo\rc headev- 
^Icavly highligh-b the 
"top ^toYt } p\rovidihg B 

^uitair IA/av-v-ioV-s. 


Yes it is. But it doesn't stop us from going ahead and calling 
attention to the top score. It just means that well need to eventually 
clean up the high score list by removing unverified scores. In fact, well 
tackle the unverified high scores just as soon as we finish highlighting 
the top score. 



345900 

Smwi BiHit 


VhJIII 


there J are no 

Dumb Qu©sti 


9ns 


Many of the scores are still unverified? Isn't that a problem? 
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adding a little css 


Format the top score with HTML and CSS 


The most important thing about the new high score header is that it be 
clearly seen above all other scores in the high score list. This requires the 
help of both HTML and CSS to add some visual flair. The header will be 
generated as a row in the HTML table with a special CSS style applied 
to it. This style, tops cor eheader, must be added to the style . css 
stylesheet for Guitar Wars. 


Cchtcv- the 

父 o\re ih the head 饮 


Use a dav-k batkyou^d ^olov- 
y/rtV) V/Wite *to 
i\\c stov-c v-cally pop. 


TVis style class is alv-cady bei^ 
used "to highlight daia 
cvvoirs ih the Add Sdovc sdv-ip-t* 



Make suv-c s\-z£ 

•is tv-a^ked up *tKar^ 

*tKc vcs*t o( sdoves. 


These "two style classes 
alv-cady -fov-ma-t high 

s^ov-c oy\ -the pa^e- 


The index . php script already generates an HTML table containing the 
high score list. Generating a header just for the top score involves isolating 
the first score，which is guaranteed to be the top score since the list is now 
in order. A while loop takes care of looping through the scores, so we 
need to somehow count the scores, and only generate the header for the 
first one... 
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working with data stored in files 


sf\ 


Finish the code for the index.php Guitar Wars script so that it adds a formatted header 
for the top score that uses the topscoreheader CSS style. Hint: Don't forget that the 
top score header is part of the high score HTML table, which has two columns. 


// Loop through the array of score data, formatting it as HTML 
echo ' <table>'; 

$i = 0; 

while ($row = mysqli—fetch array($data)) { 

// Display the score data 
if ( ) { 


echo 

'<tr><td class= n scoreinfo’ 

，>'; 


echo 

'<span class= M score M > , . ^ 

?row['score']. 

'</spanxbr 

echo 

'<strong>Name: 〈 /strong〉' 

.$row['name'] 

.'<br / >'; 

echo 

'<strong>Date : </strong> ' 

.$row['date'] 

.'</td>▼; 


if (is—file(GW UPLOADPATH . $row['screenshot']) && 

filesize(GW—UPLOADPATH . $row['screenshot']) > 0) { 

echo '<tdximg src= M ' . GW UPLOADPATH . $row['screenshot']. 

' M alt= M Score image" /></tdx/tr> '; 

} 

else { 

echo '<tdximg src= M ' . GW UPLOADPATH . 'unverified.gif'. 

' M alt= M Unverified score" / ></tdx/tr> '; 


echo ' </table>'; 



index.php 
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exercise solution 



E/eitctSe 

SoLytiOH 


Finish the code for the index.php Guitar Wars script so that it adds a formatted header 
for the top score that uses the topscoreheader CSS style. Hint: Don't forget that the 
top score header is part of the high score HTML table, which has two columns. 

f*i is {}\t variable dourrts 

■b^voiA^ W 吵 scores - WC 

it -to isolate -fiv-st sdo\rc. 


// Loop through the afray of score data, formatting it as HTML 
echo '<table>'; 


while ($row = mysqli 一 fetch array($data)) { 

// Display the score data 


f fi O f y/C khOW 
i 仏七 he -Pi\rs-t ("top/) sdov-c, 
so \rChdc\r the HTML 
to&t -fo\r the header. 


if ({\~ 0 ) 


f\rov/C i sdo\rc ， 3 - 、 /*td></*br>: 



echo '<tr><td class= M scoreinfo M >'; 

echo ' <span class= M score M > , . $row [ ' score ' ] . ' </spanxbr / > 

echo '<strong>Name : </strong> ' . $row['name'] . '<br / >'; 
echo '<strong>Date : </strong> ' . $row['date'] . '</td>'; 
if (is—file(GW UPLOADPATH . $row['screenshot']) && 

filesize(GW UPLOADPATH . $row['screenshot']) > 0) { 


TKc -bofsdovcKcadcv 
style dlass is s*bovcd 
•m s*tylc dss. 


echo '<td><img src= M ' . GW_UPLOADPATH 

' M alt= M Score image" /></tdx/tr> '; 


$row['screenshot'] 


else 


echo ' <tdximg src= M ' . GW UPLOADPATH . ' unverified. gif 

' M alt= M Unverified score" / ></tdx/tr> '; 


the douh-tev- ai -the 
⑶ d o*P the s^o\rc loop — 七 his 
^oAt is the sar^c as fi — /i + /；. 

echo ' </table>'; 




index.php 
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Tesr DriVq 


Order the high scores and showcase the highest score of all. 

Modify the index . php script to use the new ordered SELECT query, and then add 
in the code that generates the top score header. Upload the new script to your web 
server and open it in your browser to see the top score prominently displayed. 



Unveri fr 


345900 

Xajik PAAit Vjfiilli 


It's cool that the order is 
fixed...but you know any of those 
unverified scores could be bogus. 


n5rl' 


It's true, the unverified scores need to be dealt with. 

But one thing at a time. It seems another problem has surfaced that is 
preventing people from uploading their high score screen shots... 
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adding a size restriction for images 



0 


I enter my high score and screen shot 
image, but when I click the Add button 
I just get a generic error message. I 
can't figure out what's wrong. 


Hoi oK\ly is -f ile Wy 
(nxU\) lav-jcv- i\\av\ VI 

but its Y\oi ev ⑼扣 


-M • 



科， [: ml^f W*r‘ - A4<f 抑 ur 


Guitar Wars - Add Vcinr Higli Score ： 



Mime： rrhi-UlitfhlF 

Some: IdciW 1 
shfll : [ C 


% 


IOOI 

llloio 

OOI Of 

loioill 


ethelshugescore.pdf 


、 


、 


N 


\ 


\ 


\ 


\ 


Not only is the file huge, but it's not an image! 

We have a problem in that our form is rejecting some files but not 
telling users why. It’s actually good that the form is rejecting files, in 
this case because they’re too big — remember we capped the file size 
at 32 KB in the form code. But we need to be clear about telling the 
user why. Not only that, but we don’t want users uploading files that 
aren’t images. Adding validation to the Add Score form will allow us 
to better control how files are uploaded. 

So validation on the image file upload form (addscore • php) 
serves two vital purposes. First, it can beef up the prevention 
of large file uploads, providing users with notification that a file 
can’t be larger than 32 KB. And secondly, it can stop people from 
uploading files that aren’t images. The file upload form needs 
validation for both file size and type. 

Tins cv"\ro\r message docsir\ *b 
■bell usev- ri\[At\\ about 
y/lia*b werrb with 七 k 

Wi# stov-c submission. 


j ^ Sq^t HnhUoru 

Guitar Wars « Add Your High Scun 

prnWeii, H P kuidin|| ^ ur OTn 

~zi—. - - 

!C Ct^l itecWi 
^co<Ki 

ScnM-ji aiM ： •"'owaTipT'- i>om r KCCHd 
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small 

Only images allowed 

So how exactly do we check the Add Score form and make sure uploaded 
images adhere to a certain size and type? The answer lies in the built-in 
$_FILES superglobal variable, which if you recall, is where we earlier 
obtained the temporary storage location of the uploaded file so that it 
could be moved to the images folder. Now we’re going to use it to grab 
the size and MIME type of the file. 


working with data stored in files 



FILES[▼screenshot▼][▼size▼ 

1280472 

FILES['screenshot 1 ] ['type'] 

application/pdf 


TV s •似 d 从 c Aleov^r I MB, 
\S I.Z2 - MB, ov 1,2-^0 

The type of the -Pile is PDF, 

not 舶 addcptablc web 

type, su\) as ^If, Jp^ ov 


We don’t just want image files to be smaller than our 32 KB size limit, but 
we also need them to be a file type that can be displayed as a web image. 
The following MIME types are commonly used to represent web images: 

$ FILES['screenshot']['type'] 


GIF 

image/gif 



or 


JPEG 

image/jpeg 
image/pjpeg 




phizsscore.gif 


PNG 

image/png 


jeanpaulsscore.jpg 



store 

sh 。 七 imay -Piles 


jacobsscore. png 


— your pencil 


Write an if statement that checks to make sure a screen shot file 
is an image, as well as checking to make sure it is greater than 
0 bytes in size and less than the constant GW—MAXFILESIZE. 
Assume the file size and type have already been stored in variables 
named $screenshot size and $screenshot type. 


if 


you are here ► 


267 



















incorporating file validation in the app 

- (parpen your pendl — 

Solution 


Write an if statement that checks to make sure a screen shot file 
is an image, as well as checking to make sure it is greater than 
0 bytes in size and less than the constant GW_MAXFILESIZE. 
Assume the file size and type have already been stored in variables 

c named $screenshot_size and $screenshot_type. 

匕 ome bv-owscv-s — — 

use this mi/i/jb 3 O.P.~!l 

. .1.1. ~ : 妙 . ：： .■•. 

(fs^\rcci^sho*t sizjC > O) && (fsd\rcci^slio*t sizjC <— M/\)<F|L6S|^E)) ^ 


<?php 

// Define application constants 
define('GW_UPLOADPATH', 'images /')； 

define('GW_MAXFILESIZE', 32768); 


// 32 KB 




SmdC "the rwa^irwurw -file siz^ hov/ 
appeals \ y \ mov-c thah cme pbde ir 
the Add Sdovc sdiripi, i-t makes 
sck>sc {o sWc it as a demstant 


appvars.php 




File validation makes the app more robust 

A little validation goes a long way toward making any PHP application 
more intuitive and easier to use, not to mention safer from abuse. Now a 
helpful error message lets the user know the exact constraints imposed on 
uploaded image files. 


C\r\ro\r message helps 
"to explain exactly 
what kihd o-p -Piles 3v*c 
allowed -Pov- upload- 



ethelshugescore.pdf 


utoioi 
OOlOh 

jeanpaulsscorejpg 

phizsscore.gif 


jacobsscore. png 
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S’mde wcVc rwakmj 七 he sdv-ipi mov*e 

\robus-t, ii^s also a good idea io dhcdk 
七 he f—PILES supc\rjlobal b> make 
su\re ihc\rc v/ash^i av\ upload cvvov-. 


P*isflay a deWif 七 We 
cv*v*ov* i*f "tV^c *Pilc is "ti^c 
type o\T -too lav-JC* 


image/jpeg') II 




)&& 




if (! empty($name) && !empty($score) && ! empty ($scVeenshot)) { 

if ((($screenshot_type ― 'image/gif' )11 ^^nshot type == 'image/png') 

($SCree = 一 type ；- 0 ；^ ^ c P r ：en h ^ Gw mKx^LESIZE)) 

^ ($screenshot_size > 0) && (^screenbiiuu^^ 一 

if ($ FILES [ T file']['error ' ] == 0) { 

// Move the file to the target upload folder 

Starqet = GW UPLOADPATH . $screenshot; n 

if (move_uploaded_file($_FILES[ 'screenshot']['tmp_name ], ^target)) 

"Con 赃 t 3 the database USER , DB PASSWORD, DB NAME); 

$dbc = mysqli— connect (DB—HUbi, ud— — - 

// Write the data t 。 the. ， t a b=e . $name ', '$score\ ' $scr4enshot') 

$query = "INSERT INTO guitarwars VALUES (U, wuwu — \ 

mysqli query($dbc, $query), 

// Confirm success with the user 

echo '<p>Thanks for adding your new high score /p 
echo 1 <p><strong>Name:</strong 〉 ' . $name . ， = r 

echo '<strong>Score:</strong> ' - $score • <br / 

ech o '<img src="' - GW— UPLOADPATH . $screenshot 


alt="Score image" /></p> 


： r Q 二 to high 

// clear the score data to clear the form 

$name = 

$score = nn ； 

$screenshot = nf, ； 

mysqli—close($dbc); 


else 


echo <p 


， <D cl ass-error">Sorry, there was a problem uploading your screen shot image 



/P> 


else { , 3 p tI? JPEG, or PNG image file no 


// T ry to delete the temporary screen shot image file 
@unlink($ FILES['screenshot']['tmp—name']); 


else 


echo '<p class="error">Please enter all of the 


information to add your high score.</p >'； 



Tk unlmkO adc-tcs a -file 

-fvom {\\t >Nf\) sewev. We sufpvess its 

cv"VoV" vcfovtm^ ® 

•file unload did^-t actually suutd^ 




addscore.php 


The 3hd irupvovcd 
Add S^oirc s^vipt how 

‘ image -Pile validatioh. 
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test drive addscore.php 




Tesr DriVq 


Add screen shot image file validation to the Add Score script. 

Modify the adds core • php script to use the new image file validation code. Upload the script 
to your web server and try out the Add Score form with both valid images and a few invalid 
files (huge images and non-images). 


tJiereiqre no ^ 

Dumb Questions 


Why are there two different MIME types for JPEG 
images? 

This is a question better asked of browser vendors, who, 
for some reason, decided to use different MIME types for 
JPEG images. To make sure the JPEG file validation works 
across as many browsers as possible, it's necessary to check 
for both MIME types. 

Why is it necessary to check for image files larger 
than 0 bytes? Aren't all images larger than 0 bytes? 

In theory, yes. But it is technically possible for a 0 byte 
file to get created on the server if the user specifies a file that 
doesn't actually exist on their own computer. Just in case this 
happens, adds core • php plays it safe and checks for an 
empty file. 


Why is GW_MAXFILESIZE placed in 
appvars . php even though it is only used in 
addscore.php? 

While it's true that appvars . php is intended for 
storing script data that is shared across multiple script files, it 
is also a good place to store any constant script data. In this 
case, placing GW—MAXFILESIZE in appvars . php 
makes it easier to find if you ever want to make the file upload 
limit larger. 

How does that line of code with @unlink () 

work? 

The built-in PHP unlink () function deletes a file 
from the web server, in our case the temporary image file that 
was uploaded. Since it's possible that the upload failed and 
there is no temporary image file, we suppress any potential 
errors generated by unlink () by preceding it with an at 
symbol (@). You can stick @ in front of any PHP function to 
suppress its error reporting. 
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O 


What about all those 
unverified scores? They 
haven't gone away, you know. 




7 


date 


2008-04-22 14:37:34 
2008-04-22 21:27:54 
2008-04-23 09:06:35 
2008-04-23 09:12:53 
2008-04-23 09:13:34 
2008-04-23 14:09:50 
1008-04-24 08:13:5? 


The high score list must be cleaned up. 

With image file uploading tightened up thanks to validation, we can’t 
ignore the problem of unverified scores any longer. New scores with 
uploaded screen shot images shouldn’t play second fiddle to old scores 
without screen shots that may or may not be valid. Guitar Wars needs a 
way to remove old scores! 

TV^c duv-\rcr\*b "tof sCort is v\oz 
vcv-i-ficd, does / 七 mstill 

^\aCM COY\^\dtY\Ct m uscvs. 


guitarwars 


name 


Paco Jastorius 
Nevil Johansson 
Eddie Vanilli 
Belita Chevy 
Ashton Simpson 
Kenny Lavitz 
Phiz Lairston 










Enn mcjid Etc L«V|I h? | 


Top Scort&: 36M20 


M 期 

SiMK A4 b_>i Kjrr； M 


Unv 印 if ied 


14J900 

明 ^ 


score 


127650 

98430 

345900 

282470 

368420 

64930 

186580 


screenshot 


ed ! 


U^vcv-i-Picd sdov-cs v/i-thoui 
irwajcs Y\tt& -fco be \rCrwovcd 
-Pv-orw -the database； pwto. 


phizsscore.gif 


Write down how you would go about cleaning up the 
unverified scores in the high score list: 
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add an admin page 


?\m for m Admin page 


Since we just need to remove some unverified scores from the database, 
it’s perfectly reasonable to just fire up an SQL tool and manually remove 
rows from the database with a few DELETE queries. But this may not be 
the last time you’ll need to remove a score, and it’s no fun having to resort 
to manual SQL queries to maintain a web application. The idea here is to 
build an application that can be maintained with as little hassle as possible. 

What we need is a page that only the web site administrator has access to 
and can use to remove scores... an Admin page! But we need to be very 
careful in making a clear distinction between what parts of Guitar Wars 
are for the administrator and what parts are for users. 


These pages are for users: 


Wet applications 
olten include 
pages lor putlic 
access, as well as 
actmin pages tkat 
are only lor site 
maintenance. 


T\\t Add S^ovc fay and 
md'm 今 urtar lA/av-s av-c 

desired -fov tY\d usc\rs -to submit 
3r\(ji vic>w *b^civ" iVi# shoves. 



This page is only for the administrator: 


芡 is 

desired cmly (or use by 
i\\t site adm'm'is*tv-a*tov 
— you y/oul(W 七 
uscv"s vcwvovm^ stoves. 


Cr»tk*>^ a “Remove’ 

Imk removes *tKa*t 
^av-titulav- stove. 
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Write down what the Admin and Remove Score scripts need to do in order to accommodate 
a score removal feature for Guitar Wars. Then draw how a score removal affects a row in the 
guitarwars table and the screen shot image file associated with it. 



admin.php 


Web server 




removescore.php 




iotolUj 


guitarwars 


JT 

date 

name 

score 

screenshot 

i 

2008-04-22 14:37:34 

Paco Jastorius 

127650 


2 

2008-04-22 21 : 27:54 

Nevil Johansson 

98430 


3 

2008-04-23 09:06:35 

Eddie Vanilli 

345900 


4 

2008-04-23 09:12:53 

Belita Chevy 

282470 


5 

2008-04-23 09:13:34 

Ashton Simpson 

368420 


6 

2008-04-23 14:09:50 

Kenny Lavitz 

64930 


7 

2008-04-24 08:13:52 

Phiz Lairston 

186580 

phizsscore.gif 
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exercise solution 


BtenciSe 

%OLvi\OH 


Write down what the Admin and Remove Score scripts need to do in order to accommodate 
a score removal feature for Guitar Wars. Then draw how a score removal affects a row in the 
guitarwars table and the screen shot image file associated with it. 


Wnr^ - High Spores Admmia 職 — 

Guitar Wars * High Scorn Admiaistration 

b — ㈣ 仏匕 ㈣ 啦娜_叫虮障咖刪咖赵 

l hli L 灿咖膽桃 24 OflJ 3 忠 1 R t[W vg 

iffl) 抑 d 咖 2:n 

■ ^iJcliHnbsun m9-fM-24 DHdOlzU R^ V r 
^ n - V ^^23 14.-^^ 


Kukd. 


•XM.h.p.hp. all *tlic 卜吵 

s^o\rc \roy/S| vyj'tli 3 Remove jmk bo 
i*t passes *m-fo\rma*tioir\ *to -the Remove 
Sdo\rc sd\rift- 



Web server 





CjjIuj Wara - HJIITWMt 1 鉍啡 



admin.php 

Xh? ir^py.^^.^.p.bp. . s .4y)p.i. .^\rc 

o( *thc dd*tual \rcmoval c^f *thc sdo\rc -fvom 
*thc database ； -the deletion o-f -the image 
-file -f\rom -the scv-vcv, a^d -the display o-f 

a doirvfi\rma*tio 灼 message- 


Guitar Wars - Remove a Hi&K Score 

AIC y ou sunt ㈣ warj [D tlcfcw The foltowl 叫雖挪？ 

^ fflf il ^ O _Curtir WMi . ， Bferttdrt 4 


Guitar Wars - Remove a High Scott 

The Jri^h scare of S6S-12& for Aihson Slnapsoa "svas •succcsaftjUy etmoMjd, 
« B-kV to fl4rrin Mce 



removescore.php 


guitarwars 


id 

date 

name 

score 

screenshot 

1 

2008-04-22 14:37:34 

Paco Jastorius 

127650 


2 

2008-04-22 21 : 27:54 

Nevil Johansson 

98430 


3 

2008-04-23 09:06:35 

Eddie Vanilli 

345900 


4 

2008-04-23 09:12:53 

| Belita Chevy 

「282470 


6 

^ r V/ / • ■ 

2008-04-23 14:09:50 

Msnron oimpson 

Kenny Lavitz 

368420 

64930 


7 

2008-04-24 08:13:52 

Phiz Lairston 

186580 

phizsscore.gif 


AI^oiajV) tv^is pavt^ulav sample voy/ is miss’n^ 

a sdvee^ S^oi Jpilc, Remove ^Cort sdvift 
W.II y^ttdbo delete i 州 ay Ale Wor, tV^c 

scv-vcv- -fov- stoves do \\^t ^ 
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working with data stored in files 


ftewcratG score removal links on the Admin page 


Although the Remove Score script is responsible for the actual score removal, we need an 
Admin script that allows us to select a score to remove. The admin . php script generates a 
list of high scores with Remove links for each one. These links pass along data about a given 
score to the removescore • php script. 


<?php 

require once('appvars.php'); 
require once( 1 connectvars.php'); 

// Connect to the database 

$dbc = mysqli_connect(DB—HOST, DB—USER, DB—PASSWORD, DB—NAME); 



admin.php 


// Retrieve the score data from MySQL 

$query = "SELECT * FROM guitarwars ORDER BY score DESC, date ASC M ; 
$data = mysqli—query($dbc, $query); 


// Loop through the array of score data, formatting it as HTML 
echo '<table>'; 

while ($row = mysqli fetch array($data)) { 

// Display the score data 

echo ' <tr class = M scorerow M Xtd><strong> ' 
echo '<td>' . $row['date'] . '</td>'; 

echo '<td>' . $row['score'] . '</td>'; 

echo '<td><a href= M removescore.php?id=' . $row['id'] . '&amp;date=' . $row['date']. 
'&amp;name=' . $row['name'] . '&amp;score=' . $row['score'] . '&amp;screenshot='. 

$row['screenshot'] . '">Remove</a></td></tr>'; 


TKc URL *bo Remove Store strict 

•IS do\^ more just Imkmj *to 

also \>assm^ data *to \i. 

.$row [ ' name ' ] . ' </strongX/td> ' ; \ 


echo '</table>'; 


mysqli_close($dbc); 


\ This toAt 5c^c\ra-tcs HT/VIL l*mk -to 

-the \rcrw0vcsd0\rc php pass— alo 吒 - 
*rn-fo\rima-tior> aboui 七 he sdo\rc "to be v-emoved- 


?> 




you are here ► 


275 






introducing the GET request 


Scripts caw communicate with each other 


In order for the Remove Score script to remove a high score, it must know 
what score to remove. But that’s decided in the Admin script. This begs 
the question, how does the Admin script tell the Remove Score script what 
score to remove? This communication between scripts is accomplished by 
packaging up the data as part of a "Remove" URL for each high score 
shown on the Admin page. If you closely analyze the URL for a particular 
score, you’ll notice that all the high score data is in there. 


Tke URL of a 

script can te 
usect to pass data 
as a GET request. 



High Scores Administration 

™ ifab 卿⑽ 


A 


<a href= M removescore•php? 
id=5 & 

date=2008-04-23%2009:13 : 34 & 
name=Ashton%20Simpson& 

score=368420&screenshot= n >Remove</a> 


a value, 
sepav-a-bedi 
tv^cv y\awc/value 
a\vs ky av\ t 
wfcv-say>d (f). 


The w Rc^ovc w URL I'mks -to 
"the \rcmovcsdov-c php sdHpt 
but also ih^ludcs data -fov- 
thc \row -to be deleted. 


OK, so data gets passed along through a URL, but how exactly does the 
Remove Score script get its hands on that data? Data passed to a script 
through a URL is available in the $_GET superglobal, which is an array 
very similar to $_POST. Packaging data into a linked URL is the same as 
using a GET request in a web form. In a traditional HTML GET request, 
form data is automatically sent along to the form processing script 
as part of the script’s URL. We’re doing the same thing by manually 
building our own GET request as a custom URL. 

Similar to $_POST, using the $_GET array to access the high score data 
requires the name of each piece of data. 



TV>c URL ^ a 
sevves as a 
^7 *to ?ass 

as IP 



a 


database 


yo>w- 



- GE T['i d '] 





get ['score 1 ] 




The hanr»c of -the 

dais is used 
adless i-fc w'rtliih 
the a^ay. 
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working with data stored in files 



I don't see what all the fuss is with 
GET. Why can't you just pass the data 
to the script using POST? That's how 
you've done it up until now. 


POST requests can only be initiated through a form, 
while GET requests can be packaged as URLs. 


Up until now we’ve always passed data to a script through a web form 
where the script was listed as the action for the form’s Submit button. 
When the user fills out the form and presses the Submit button, the form 
data is packaged up and sent along to the form as a POST request. 


The problem is that the Admin page doesn’t use a form to initiate the 
Remove Score script. It just links to the script via a URL. So we need a 
way to send along data to a script using nothing more than a URL. This 
is where GET is particularly handy since it provides access to data that is 
packaged in a URL as parameters. Similar to POST, the data that gets 
passed along to the script through a GET request is available through a 
superglobal, but it’s named $_GET instead of $_POST. 


I/Vfcb -foimns o-p-tch 
use POST v-c^ucs-ts 
submit dsia, 
whidh is s-tov-cd 
^ fJ>0ST av-v-ay. 


$ POST 


科 。 O Cuitar Add High - 

Guitar Wars - Add Vour liifih Score 




Heoic ： L»5M 
Screen tJvul ： 


GET 


Passm^ da*bs 

d URL- is 

adtomflislicd w'l-bV) 

6\iT, smd 

dd*bd is s-tov-cd "m 

i\\t / 一味 T array. 
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GET vs POST 


Of frETs awd POSTs 


The difference between GET and POST isn’t just form vs. URL since GET 
requests can (and often are) used to submit form data as well. The real 
distinction between GET and POST has to do with the intent of a request. 
GET is used primarily to retrieve data from the server without affecting 
anything on the server. POST, on the other hand, typically involves 
sending data to the server, after which the state of the server usually 
changes somehow in response to the data that was sent. 


POST 

Use d to send data to^ 

some tow ca H s a er |； ng da u in a database. 
serve r，such ^ ed in a response. 

Request is hidden from 


Tke two types oi 

wet requests，GET 
and POST，control 

kow you skuttle data 
between scripts. 


GET 

Typically used for data retrieval that 
doesn’t change anything on the server. For 
small amounts of data, GET is also useful 
for directly sending data to the server in 

a URL . Unlike POST, GET is primarily 
suited to sending small amounts of data. 


tKereiare no o 

Dumb Questions 


I've seen web forms that use GET. How does that work? 

Both GET and POST have their place when it comes to web 
forms. When creating a web form, the method attribute of the 
<form> tag controls how the data is sent, while the action 
attribute identifies the script to receive the data and process it: 

<form method= M post M action= M addscore.php M > 

When the submit button is clicked to submit this 
form, the addscore.php script is executed, and the form data is 
passed along to it through the $_POST array. But you could've just 
as easily written the <form> tag like this, in which case the data 
would get passed along through the $_GET array: 

<form method= M get M action= M addscore.php M > 

Ah, so it doesn't matter which request method I use, GET 
or POST? 


Wrong. It matters quite a lot. GET is generally used for getting 
data from the server, not changing anything on the server. So GET 
is perfect for forms that make informational requests on the server 
without altering the state of the server, such as selecting rows from a 
database. POST, on the other hand, is best suited for requests that 
affect the server's state, such as issuing an 工 NSERT or DELETE 
query that changes the database. Another distinction between GET 
and POST is that data passed through a GET is visible in a URL, 
while POST data is hidden, and, therefore, is a tiny bit more secure. 

How does this distinction between GET and POST factor 
into the passing of data to a script through a URL? 

Well, first of all, you can only pass data to a script through 
a URL using a GET request, so POST is eliminated immediately. 
Furthermore, since GET is intended purely for requests that don't 
alter the state of the server, this means you shouldn't be doing any 
INSERTS, DELETE FROMs, or anything else that will change 
the database in a script that receives data through its URL. 
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Fireside Chats 



Tonight’s talk: GET and POST 


POST: 


So, word on the street is you’ve been saying all I'm 
good for is asking questions but not really doing 
anything with the answers. Is that true? 


Sure is. Let's face it, you don't have any real power, 
just the ability to ask the server for something. 


OK, so it’s true that I'm not really intended to be 
causing changes on the server such as deleting files 
or adding database rows, but that doesn't mean I'm 
not important. 

If you say so. All I know is not a whole lot would get 
done without people like me making things happen 
on the server. If the server was always stuck in the 
same state, it would be pretty boring out there. 

True, but you're permanently connected to your 
good buddy, Form, whereas Form and I are merely 
casual acquaintances. I leave room for other friends, 
such as URL. 


So you think your "circle of friends" somehow 
overcomes your inability to take action? I doubt it. 


Well, then I have a question for you. How exactly 
do you take action when your little sidekick, Form, 
isn't around? You know sometimes Page doesn't find 
it necessary to go to the trouble of involving Form. 

Listen, Form is my friend, and long ago I made a 
commitment not to do any requesting without him. 
So judge my loyalty if you must, but I won’t betray 
my friend! 

Calm down. I’m just pointing out that while I'm 
geared toward retrieving data from the server, I'm 
fairly flexible in how I can be used to do it. 


I’ll give you that. You're alright by me. 


Glad to hear it. It's been good talking to you... 


you are here ► 


279 


how removescore.php will work 


&ET, POST, awd high score removal 


We’ve established that the removal of scores in Guitar Wars starts with 
a "Remove" link on the Admin page that links to the Remove Score script. 
We also know that score data can be passed through the link URL to the 
Remove Score script. But we have a problem in that a GET request really 
shouldn’t be changing anything on the server, such as deleting a score. A 
possible solution is to not change anything on the server... yet. What if the 
Remove Score script initially displayed a confirmation page before actually 
removing a score from the database? 


尸 I n n 


QylarWart 


iHigph Scot# 


Guitar Wars - Remove a Hi&li Score 


Naww: AUmMi Sunpsco 
ZHHS-M-23 W-]3:：H 

13 TCS- O ^ 


A ^oh-fiirma-tioh page aives -the 

3 -to the 

high sto^rt removal ihs-tcad o( 
j us "t ^emovihg i-t ihs-bh-tly. 


« IQ B^mip. caee 


The confirmation page shows the score that is up for removal with a 
simple Yes/No form. Selecting Yes and clicking the Submit button results 
in the score being removed, while choosing No cancels the score removal. 


It’s entirely possiLle^ 
even kelpiul in some 
cases，lor tke same 


Thinking in terms of GETs and POSTs, the Remove Score script can 
display the confirmation page as a response to the GET request from the 
Admin script. And since the confirmation itself is a form, it can issue its 
own POST request when submitted. If the form is a self-referencing form, 
the same script (removescore . php) can process the POST and carry 
out the score removal. Here are the steps involved in this process: 


script to respond to 

Uk GET and POST 

requests. 


The Remove Score script is initiated through a GET request by 
the user clicking the "Remove" link on the Admin page. 

© The Remove Score script uses the high score data stored in the 
$_GET array to generate a removal confirmation form. 

The Remove Score script is initiated again, this time, through a 
POST request by the user submitting the confirmation form. 

The Remove Score script deletes the score from the database 
and also deletes the screen shot image file from the web server. 
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Guitar Wars，High Scorn Administration 

I w 奶 _ 咖,叫 齜 :P ㈣ 抓咖 咖 a 

! 恤 ㈣ 獅 W 2 现 ] 3:m _ 

2S241A Eno^ 

幽 s 2 kb^. m om-jhijmo stum: 

^-djohno^ ms<^.2^mm ： uvm30 R^r 

^ nny lM ^ 咖机 23M ： £HfcSf5 柳 M R?nwvc 


wcdsd 


Let’s take a look at how the score removal process 
unfolds through this series of steps... 

A 今 £T v-c^ucsi is used 
"to initiate 七 he Remove 
^ Sdolrc sdiripi Bv\d pass 

alo^j -the hijh sdoire da-ta 
-thiroujli a URL. 


admin.php 


p n P Qjirar Wart ■ fig miw g a Hig h ^r* 

Guitar Wars - Remove a Hi# Score 

A^yM^ymiTMarji m 她《此为咖邮 _ 賴？ 

NftBW: AS&U5® SUflpS® j _ 

Ufitet OT-.]3->3 ^ 

S.cor« 3*^20 

« Ytt O 


? POST 


« Back iq t^ mir - Mgg 


removescore.php 


« n o 


A POST vc<\ucst is 
used bo m'rtia*tc *thc 
Remove Sdovc sdrif 七 
(a^a'mO and pass 
aloy>5 *thc Ki^h stort 
{jo be deleted- 


/ i # 
§ ^ ^ 


r i：ux 


$_GET 

The sdv-cc^sho-t da*ta is 
empty -Pov- -this IVijh sdov-c. 

This is the exadt 
same s^Hp-t v-cad-tmg 
di-PWh-tly defehdi^ 

Oh y/hethev i-t vcficivcs a 

6j^T o\r POST v-c^ucst 


Cuilir WSifg - Refnort A ligh Sccir 


Guitar Wars - Remove a High Score 

si^rt of JSS^SO'Jior Ashnn Slrctpson iu«icsd^utly 
<< BkTc co MPii 


removescore.php 


The Remove £Corc shrift 
deletes *tiic stove -fv-om {}\t 
database av\d >*b screen s\\oi 
file -fvom i\\t >/cb sevvev-. 
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more on GET and POST 



How can the same script process both GET and POST requests? 

It all has to do with how a script is invoked. In the case of the Remove 
Score script, it is invoked in two different ways. The first way is when the 
user clicks a "Remove" link on the Admin page, in which case a URL leads 
them to the script. Since data is packaged into the URL, this is considered a 
GET request. This GET request causes the script to generate a web form 
whose action refers back to the same Remove Score script. So when the 
user submits the form, the script is invoked a second time. But unlike the 
first time, there is no fancy URL with data packaged into it and, therefore, no 
GET request. Instead, the high score data is passed along through a POST 
request and is, therefore, available in the $_POST array. 

So the manner in which the script is invoked actually determines 
what it does? 

Yes! When the script sees that data has been sent through a URL as a 
GET request, it knows to display a confirmation form, as opposed to deleting 
anything from the database. So the data sent along in the $_GET array 
is used only within the confirmation page and has no lasting effect on the 
server. 

When the script sees that data is being delivered through a POST request, 
the script knows that it can delete the data from the database. So it uses 
the $— POST array to access the data and assemble a DELETE FROM 
query that deletes the score. And since most high scores also have a screen 
shot image file stored on the web server, the script also deletes that file. 
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Isolate the high score for deletion 


With the score removal process laid out, we can now focus our attention 
on the database side of things. The Remove Score script is responsible 
for removing a high score, which means deleting a row from the database 
of scores. If you recall, the SQL DELETE FROM statement allows us 
to delete rows. But in order to delete a row, we must first find it. This is 
accomplished by tacking a WHERE clause onto a query that uses DELETE 
FROM. For example, this SQL query deletes the row with the name 
column set to ' Ashton Simpson ' : 



This <^uc\ry deletes \rows 
a dolurnh 

Ash"fcoh Sirwpsoh’. 



DELETE FROM guitarwars WHERE name = 'Ashton Simpson' 


guitarwars 


JT 

date 

name 

score 

screenshot 

i 

2008-04-22 14:37:34 

Paco Jastorius 

127650 


2 

2008-04-22 21 ： 27:54 

Nevil Johansson 

98430 


3 

2008-04-23 09:06:35 

Eddie Vanilli 

345900 


4 

2008-04-23 09:12:53 

Belita Chevy 

282470 


5 

2008-04-23 09:13:34 

〔Ashton Simpson 1 

丨 368420 


6 

2008-04-23 14:09:50 

Kenny Lavitz 

64930 

- — 

7 

2008-04-24 08:13:52 

Phiz Lairston 

186580 

phizsscore.gif 


The -table ir>amc is vc^uivcd 
by DELETE FROM *to 
ky>oy/ ^\\\cM youVc 

dclctm^ da*ta -fv-om. 


TTiC holme o( the usev- 
is the used "fco 

delete the high s^oV-C- 


There’s a problem with this query, however. In a world full of millions of 
Guitar Warriors, odds are there will be more than one Ashton Simpson. 
This query doesn’t just delete a single row, it deletes all rows matching 
the name ' Ashton Simpson '. The query needs more information in 
order to delete the right row: 


DELETE FROM guitarwars WHERE name = 'Ashton Simpson 



By the sdov~c ih 

additioh -to the the 

deletion gets rno\rc 


AND score = ' 368420 ' 


guitarwars 


id 

date 

name 

score 

screenshot 

1 

2008-04-22 14:37:34 

Paco Jastorius 

127650 


2 

2008-04-22 21 . 27:54 

Nevil Johansson 

98430 


3 

2008-04-23 09:06:35 

Eddie Vanilli 

345900 

- — 

4 

2008-04-23 09:12:53 

Belita Chevy 

282470 


5 

2008-04-23 09:13:34 

^Ashton Simpson 

368420 


6 

2008-04-23 14:09:50 

Kenny Lavitz 

64930 


7 

2008-04-24 08:13:52 

Phiz Lairston 

186580 

phizsscore.gif 



The AND oj>c\ra-feo\r 
the <\uc\ry so -that both -the 
aK>d s^o\rc rwus-fc 


Novj bo*t^ 3r\d 

stove l^avc *to odds o( 

a^idc^-tally move oy\c 

stove av-c deceased dv-a^a*tidally- 
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putting a LIMIT on your DELETE 


Control how much you delete with LIMIT 


Using both the name and score columns as the basis for deleting a 
row is good... but not good enough. Application development is about 
minimizing risks at all cost, and there’s still a slight risk of deleting 
multiple rows that match both the same name and score. The solution is 
to force the query to only delete one row no matter what. The LIMIT 
clause makes this happen: 


DELETE FROM guitarwars WHERE name = 'Ashton Simpson 


IWrt o\ rows 

be deleted. 



AND score = '368420' LIMIT 1 


The number following LIMIT lets MySQL know the maximum number 
of rows to delete — in this case, one. So we’re guaranteed to never delete 
more than one row with this query. But what if there were two Ashton 
Simpsons with the same score? Sure, this is an unlikely scenario, but it’s 
sometimes worth considering extreme scenarios when working out the 
best design for an application. 


id 


2 

£ 

A 


c; 


5 



date 

2008-04-22 14:37:34 
2008-04-22 21:27:54 
2008-04-23 09:06:35 
9nnft-0i-23 09:12:53 


2008-04-23 09:13:34 


2008-04-23 14:09:50 

2008-04-24 08:13:52 


guitarwars 

name 

Paco Jastorius 
Nevil Johansson 
Eddie Vanilli 
Belita Chevy 


Ashton Simpson 


Kenny Lavitz 
Phiz Lairston 


523 2008-11-04 10:03:21 Ashton Simpson 


score 

127650 

98430 

345900 

282470 


368420 


64930 

186580 


screenshot 


phizsscore.gif 


368420 ashtonsscore.jpg 




Two high store 

'rows y/i-th the 

store 

3 pv~oblcr»> TOV" out 

DELETE <\uc\ry. 


Write down what happens to this table when the DELETE 
statement above is executed. How could you make sure the 
right Ashton Simpson score is deleted? 
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Would it be any better to use the ID of 
the score in the WHERE clause of the 
DELETE FROM query? It might help make 
sure we delete the right score, no? 


Yes, it would! The ID of a high score is the perfect way 
to isolate the score for deletion. 

Uniqueness is one of the main advantages of creating primary keys for your 
tables. The id column in the guitarwars table is the primary key and 
is, therefore, unique for each and every high score. By using this column 
in the WHERE clause of the DELETE FROM query, we eliminate all doubt 
surrounding which score we’re deleting. Here’s a new query that uses the id 
column to help ensure uniqueness: 

DELETE FROM guitarwars WHERE id = 5 


Trusting that the id column is indeed a primary key results in this code 
safely deleting only one row. But what if you didn’t create the database, and 
maybe uniqueness wasn’t properly enforced? Then a LIMIT clause might 
still make some sense. The rationale is that if you intend for a query to only 
affect one row, then say it in the query. 



Pclctihg data based oh a 
f\rima\ry key helps -to ehsuv-e 
a^^uv-a^y m isolatihg -the 

\riglvt \row -Po\r ddetioh. 


DELETE FROM guitarwars WHERE id = 5 LIMIT 1 

It’s never a bad idea to be very explicit with what you expect to be done in a 
query, and in this case LIMIT adds an extra degree of safety to the DELETE 



T\\t LIMIT dlausc c%pli6*tly 
states 

delete V"oy/- 


query. 
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finish the removescore.php script 



PHP& MySQL Magnets 

The removescore.php script is almost finished, but it is missing a few 
important pieces of code. Use the magnets to plug in the missing 
code and give Guitar Wars the ability to eradicate unwanted scores. 

< ht ml xmlns--htt P ://www. w3.org/1999/xhtml'- xml:lang-en" 

^^eta http-equ.v^Content-Type- content-text/html; charset=utf-8-V> 

<title>Guitar Wars - Remove a High Score</t,tle> ^ 

〈link rel= M stylesheet M type= M text/css hre y 

</head> 

<h2>Guitar Wars - Remove a High Score</h2> 


<?php 


('appvars•php') 


('connectvars.php ')； 

. / rvr r ' e ' 1 ) && isset ($ GET [ ' name ' ] ) ^^ 

if (isset($_GET['id']) && isset($_GET[ date J) - 

isset($ GET['score']) & & isset($—GET[ . 


])){ 


// Grab the score data from the GET 
$id = $_GET['id ']； 

$date = _ $_GET['date']; 

$name = $_GET['name']; 

$score = $_GET['score']; 

=$_GET[ ]; 

i lse lf (l sset ( $ _POST [ - 1 dM) && issetl^POSTt'nameM) && isset ( $ _POST [• score •]) ) { 

// Grab the score data from the POST 

=$ POST [ ]，• 


$name = $_POST['name']; 

$score = $_POST['score']; 

} 

else { 

echo '<p class= M error M >Sorry ； 


no high score was specified for removal.</p> 


if (isset($—POSTrsubmit 1 ])) { 

if ($_POST ['confirm']== )( 

// Delete the screen shot image file from the server 
@unlink(GW_UPLOADPATH . $screenshot); 
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LIMIT 


// Delete the score data fr ⑽ the database 

^ M quitarwars WHERE .. 

$query = ^ . 

mysqli query($dbc, $query ), 

mysqli—close($dbc); 

// Confirm success with t^^ser , for . . $n ame . 1 was successfully 

echo '<p>The high score of . ?score . 

} 

"'echo '<p class^error->The high score was not removed. </p >'； 


removed 


else if (isset( 


&& issst( 


&& isset( 


& & 


isset ($score) && isset ($screenshotn^{^ ^ following high score?</p >-； 

echo '<p>Are you sure you /><strong>Date: 〈 /strong 〉， • $date 

echo •<p><strong>Name: </strong> • ?name . 

, _ . _ • / /o-h-ronrr> ' . $SCOre • </P> r 


= M post M 

action: 

'radio" 

name= M c 

'radio" 

name= M c 

"submit' 

'value: 

"hidden' 

1 name= 

"hidden' 

11 name= 

"hidden' 

11 name= 


value: 


/ >'； 


• $name . '" />'r 

• $score . ,M />'} 


echo ' 〈 /form 〉，； 


echo '<p><a href = 

?> 

</body> 

</html> 


>&lt;&lt; Back to admin page</a></p> 




$name 




removescore.php 


—f 

$id | 

j 1 screenshot' L 

r ~ 


$screenshot 


$id 


require 


once 
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the finished removescore.php script 



PHP & MySQL Magnets Solution 

The removescore.php script is almost finished, but it is missing a few 
important pieces of code. Use the magnets to plug in the missing 
code and give Guitar Wars the ability to eradicate unwanted 

< ht ml xmlns-http://www. w 3 .org/ 1999 /xhtml- xml:lang-en" 

<h r 二 http-equ.v^Content-Type- content-text/html; charset=utf-8V> 

<title>Guitar Wars - Remove a High e css ” /> 

〈link rel= M stylesheet M type= M text/css hre y • 

</head> 

<body> ^ Srore</h 2 > \uWAt S^tA SdV-'lf*t 

< h 2 > G u lt ar Wars - -move a H.gh Score</h 2 ^ ^ ^ ^ cd ^de 

i\Y\Ct -tiicy av-c tv-itidal *to 

require 一 once I rappvars. P h P '); ^ ^ 咖 0 val . 


<?php 


require_once 


('connectvars•php ')； 


: f ⑽峨沉二⑴ “ ,sset( $ _ G ETrdateM) && i s set ( $ _GET r name >]) “ 


isset($ GET [ 丨 score 丨 ])&& isset ($_GET[ 


// Grab the score data from the GET 
$id = $_GET['id ']； 

$date = _ $_GET['date']; 

$name = $_GET['name']; 

$score = $_GET['score']; 


])){ 


TV stvift reacts d 似 eva 七 h/ 
vc®\ucs*b »s a ov a POST. 


GET [ 


1 screenshot 




$name : 
$score 


一 POST[ ， name']; 

5 POST['score']; 


Lse if (isset ( $ _POST['id']) && isset ( $ _POST ['name •] ) && -set ( $ _POST [• score']) ) { 

// Grab the score data from the The & PHP C\r\ro\r suppression di\TCd*tivc pVCVChts 

post[ I 'id'~^]; -P\ronr» bc'mj displayed. This makes sense 

I … ■ ’ 二 ~ - ' *fov u^l'mkO s\y\U wc may be attemptmj io 

delete a -file that does〆 七 Wist h \nW\cM tasc, 
v/e Aoy\ {, the usev -to see 3r\ cvvov. 

Ligh score was specified for removal.</p > ! ； 

This s^ripi CBv\ be used 
■to \rcrwovc shoves, 
so the uploaded image 
-Pile rwust be ddeied as 

pav-t of the \rcrwova|. 


else { 

echo '<p class= M error M >Sorry, 


if (iss^($_POST [ ' submit' ] ) ) { 

if /$_POST ['confirm']== 


Delete the screen shot image file from the server 
@unlink(GW_UPLOADPATH . $screenshot); ^ 


DB — USER , DB —_ ⑽' «); 
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丁 he id 匕 olu_ is matched by 

the DELETE c^uciry, alo^a with 
usih 3 a Lim Oh C vow 


// Delete the score data from the database 
$query =" 


DELETE 


FROM 


guitarwars WHERE 


id 




LIMIT 


* * 


xnysqli quGry ($dbc r $qu 0 ry) r 
mysqli__clos6 ($dbc); 

// Confirm success with th^user , for . . $n ame . 1 was successfully removed, 

echo '<p>The high score of • ?score . 

} 

"'echo '<p class^error->The high score was not removed.</p >'； 


else if (isset( 


&& issst( 


$name I 


&& isset( 


isset($score) && the following high score?</p >-； 

echo '<p>Are you sure you /><strong>Date: 〈 /strong 〉， • $date 

echo •<p><strong>Name: 〈 /strong 〉 • ?name . 

»<br /><strong>Score: 〈 /strong〉 1 . $score . P ^ 

echo '<form method="post'- action="removescore .php / ,• 

^ ::: r ” 

echo '<input type:”submit” value=-Submit" subnet / , 

echo 1 〈input type= M hidden M name= 


valuV 


/ >'； 


echo I〈input type: 
echo ,〈input type: 
echo '</form>'; 


'hidden' 

'hidden' 


name= 

name: 


'name" value=' 
’score" value: 


5name . ' M />、• 

[score . '" /> 




echo '<p><a href= 

?> 

</body> 

</html> 


>&lt 


&lt; Back to admin page</as^</p >'； 


Provide a l*mk badk 
"to 七 he AdU’m page -to 
impirovc ^avi^aiio^. 



-few Widdcy\ -fov"w> -fields 3v*c 
used *to s-torc stove d3*t3 
so -tViat it jc*b scy\*t as 

POST vc^ucst 


l/Ve doh-t use f_SBRVBRCVHP__ 

SELF J hc\rc because it would 

i^ludc ahy data that had beeh 
passed "tlurou^li U/^L- ^ucv^y 
stvihg as a ^ET. I/Vc waht -fco make 
suv-c ho ^ET data is passed aloh^ 
with "this -PoV"rw — 咖 ly POST dais. 


Tiicv-c y/cv-c a -few 
ma^cts Ic-f-tovcv-. 


^ 7 l 




removescore.php 


The doy>-f*iV-ma*t*ioy> -fo\rm 

is OY\ ly displayed \( all 
o-f -these store 
variables avc set 
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test drive the final guitar wars app 




Tesr DriVq 


Add Remove Score and Admin scripts to Guitar Wars so that scores 
can be removed. 

Create two new text files, removes core • php and admin . php, and add the code to them 
that you’ve just worked through. Upload the new scripts to your web server, and then open the 
Admin script in your web browser. Click the "Remove" link for a score you’d like to get rid of, 
and then confirm its removal on the Remove Score page. Return to the Admin page to make 
sure the score is gone, and then go to the main Guitar Wars page (index . php) to see the 


change there. 


The pay 

provides I'mks -bo v-cmovc 
uy\VCV"i-f icdi hi# sd-ovcs. 


L'»Ulc Oatok, 

Wi^'iov rotV ^od'»57 






The legit 
lVa\r\rio\rs a\rc how 
h^ffy to SCC Ohly 

vc\riticd high sdov-cs. 


Uuilmr ViMn- (bhk Siwn 






U^vcvi-f icd Wi# sdoves, 
■tKosc y/i*tKou*t siio*t 

images, Kavc y\o\h be ⑼ 

vemoved -fv-om *tilC sys*tcm. 


The ^cy/ Remove 
Sdolrc page 
takes da\rc o-P 
both 

dhd ircrwovmg 

sdoircs. 



TV mdrn ^uitav 
lA/avs pay v\o>n 
or\ly slioy/s vcv-1-f icd 

IV 吵 stores. 




■ ㈣ iHjh 


qhKI 

ISKffljn 
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working with data stored in files 



PHP&MySQLcross 

Tired of uploading image files? How about uploading some 
knowledge into a bunch of squares laid out in a puzzle? 



Across 

I. The type attribute of the 〈 input〉tag must be set to this for a 
file upload form field. 

4. It's usually a good idea to store uploaded application images 
in an …… folder. 

8. This SQL statement is used to change the structure of a table. 

10. This SQL statement is used to put the results of a query in a 
certain order. 

II. Information about uploaded files is stored in the $_ ■■… 
superglobal variable. 

12. This PHP statement is used to insert code from another 
script. 

13. It's a good idea to do this to newly uploaded files. 


Down 

2. To prevent a DELETE FROM statement from deleting more 
than one row, use this SQL statement. 

3. When a file is uploaded through a form, it is placed in a …… 
folder on the web server. 

5. When altering a table, this SQL command takes care of 
adding a new column. 

6. This PHP statement is used to create a constant. 

7. Include files are very handy for.data among several 

script files. 

9. This SQL statement is used as part of another statement to 
order query results in descending order. 
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php&mysqlcross solution 



PHP&MySQLcross Solution 
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working with data stored in files 



Your PHr ^ MySQL Toolbox 

Feel free to take a virtual bow. Not 
only are you loved by virtual guitarists 
worldwide, but you've also added quite 
a few new skills to your PHP and MySQL 
skillset: altering the structure of tables, 
handling file uploads, controlling the 
order of data, and removing data. 






Use 

d 


C0 IA3MN 


table 

column 


images | 


typ 


e 




stak 


aA , A 3 




0 “ala ^ 






This -Poldicv* pvovidcs a COYWltY\\tY\i 
lodat»or\ -to s-tovc images fov* 扣 

v/eve uploaded by usevs. 




include, include once , 
require, require 一 once 

These PHP s*ta*tcmcir»*b alloy/ 
you *to shave sd\rip*b toAt across 
mu 1 七 iple sdrip-t -files *m air» 
appli6a*tio^ duplicate 

todt ^Y\d -the todc easier 

*bo rr\3m*t3m- 


$—FILES 

This buil*t-ih PfiP supev^loba! 
vahablc shores ih4^matioh about 
"Piles h^vc bcch uploaded 
through a -file Ihfut -fo\rm. Y^>u 
use it to dctc\rmihc the 

ihe tcmpo\ra\ry storage lodatioh 
of the -file, the -file size； ahd -the 
•file type, amohg othc\r thihgs. 


ORDER BY column 

气 s ^"tc^Cht o\rdc\TS ihc 

n 败 y bed 0h a 

^DFcr 0l rT ^ daia ' Use Asc 

, DB f c ± ^ ^ 

to the dsia ih asu^a 
^ dcs^hdihg o^deK ASC is ihc 


DELETE FROM table 
WHERE column = match 

LIMIT num 

Use S6JL s*ta*tc^c^*t *to 
v^er^ove d V"ov/ -fv-om d did*t3basc 
-table- Mov-c 乙扣 

(a^d o^*tcir\ should) be used *to 
im^ove *tlic a^^uva^y c^f 
deletion ⑽七 *to mCir\*tio^ 

*tliC deletion *to 5 V"OV/* 
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6 securing your appliccitlon 



參 Assume they’re all 

out to get you 


A short climb, a little 
telephone rewiring, and this 
little one-horse town won’t 
know what hit it. 




Your parents were right: don’t talk to strangers, or at least 

don’t trust them. If nothing else, don’t give them the keys to your application 
data, assuming they’ll do the right thing. It’s a cruel world out there, and you can’t 
count on everyone to be trustworthy. In fact, as a web application developer, you 
have to be part cynic, part conspiracy theorist. Yes, people are generally bad, 
and they’re definitely out to get you! OK, maybe that’s a little extreme, but it’s 
very important to take security seriously and design your applications so 
that they’re protected against anyone who might choose to do harm. 


this is a new chapter 
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guitar wars has been hacked 


The day the music died 

Uh oh, our young virtual rock prodigy’s moment in the limelight 
has been short-lived, as Jacob’s top Guitar Wars score is somehow 
missing, along with all the other scores. It seems a diabolical force 
is at work to foil the high score application and prevent Guitar 
Warriors from competing online. Unhappy virtual guitarists are 
unhappy users, and that can only lead to unhappy application 
developers... you! 



与 i/iiair Wavs -top 

-fightihg mad at 
p' s ^°P disappcav-ihg 
w -the high Sdovc list. 

Ja^ob^ musical >wc3for\ 

Jc cMo\ct, a v'mtajc 
2 . 00 ^ Ev-ad'^as-tcv-. 
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Where did the high scores go? 

We know that the main Guitar Wars page is empty, but does that mean the 
database is empty too? A SELECT query can answer that question: 

_fjj e Edit Window Help lf6Was9 


mysql> SELECT * FROM guitarwars ； 


SELECT <\ucvy vcvcals 
七 ha 七 v/avs -table 

is domplc*tcly cmfty—all 
七 lie stores avc ^ov\e! 


H - 1 — 


- h- 


date 




H - 1 - 

H - 1 - 


name 


score 


- 1 — 


screenshot 










0 rows in set (0.0005 sec) 


Somehow all of the high score rows of data have been deleted from the 
Guitar Wars database. Gould it be that maybe someone out there is using 
our Remove Score script to do evil? We need to protect the scores! 



Circle which of the following techniques you could use to protect the Guitar 
Wars high scores from bitter virtual guitar haters, and then write down why. 


n Password protect the Admin page so 

that only people who know the password 
(you!) can remove scores. 


n Create a user registration system, 
and then only give some users (you!) 
administrative privileges. 


n Check the IP address of the computer trying 
to access the Admin page, and only allow 
certain ones (yours!). 


n Eliminate the score removal feature 
altogether. 
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protecting guitar wars } high scores 



Circle which of the following techniques you could use to protect the Guitar 
Wars high scores from bitter virtual guitar haters, and then write down why. 



Password protect the Admin page so 
that only people who know the passwon 


(you!) can remove scores. 


Password pajc is 3 good 

^uidk diy-*ty sojuti.o^ bcdausc its "too 
Complicated Bv\d i*t secures -the si*tc ^uidkly. 


Check the IP address of the computer trying 
to access the Admin page, and only allow 
certain ones (yours!). 


Chcdkmj IP addy-css y/oy-ks bu-t it makes 
■the si*tc you\r !P 

address ； ^W\t\\ vcv-y well may 


All 七 e6Vmi'ues are 

^t\ 


,\td because tiicy all solve 
p\roblcw») 3l*b^ou^ii some 
moV"C viable 七 ha” o*t^cv"S. 



fl 


Create a user registration system, 
and then only give some users (you!) 
administrative privileges. 


/\ usc\r \rcjis*t\ra*tioir\ system y/i*th ddm'm 
pv-ivilejes is d 3\rca*t solution bu*t involves d -faiv 
amouir )*!： o( dodm^ c-f-fo\rt ： .. ^ui*t3\r 

yVa\rs. hCC.ds scdu\ri*ty Y)OV/! . 



Eliminate the score removal feature 
altogether. 


Rcmovmg -the -feature dc\r*ta*mly solves -this 
spe 匕 i*fi 乙 problcn^ bu*t i-f you \rcdall, *t^C \rcmoval 
-feature v/ds o\rig,mally sdded m previous 
^hap*tc\r *to mdke -the Si*tc casiev- *to 
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Securing the teeming hordes 


A simple and straightforward way to quickly secure the Guitar Wars high 
scores is to use HTTP authentication to password protect the Admin page. 
This technique actually involves both a user name and a password, but 
the idea is to require a piece of secret information from an administrator 
before they have access to restricted application features, such as the score 
removal links. 

When a page is secured using HTTP authentication, a window pops up 
requesting the user name and password before access is allowed to the 
protected page. In the case of Guitar Wars, you can limit access to the 
Admin page to as few people as you want, potentially just you! 


HTTP autkentication 

provides a simple 
way to secure a page 

using PHP. 



丁 he ftTTP authch-ti^atioh 
wihdow how s-tahds brtv/CCh 
uscvs 3hd "the Adi^ih 



D0W，T 

TRUST 

THIS 

SMILE! 


guitarwars 


id 

date 

name 

score 

screenshot 

14 

2008-05-01 20:36:07 

Belita Chevy 

282470 

belitasscore.gif 

15 

2008-05-01 20:36:45 

Jacob Scorcherson 

389740 

jascobsscore.gif 

16 

2008-05-01 20:37:02 

Nevil Johansson 

98430 

nevilsscore.gif 

17 

2008-05-01 20:37:23 

Paco Jastorius 

127650 

pacosscore.gif 

18 

2008-05-01 20:37:40 

Phiz Lairston 

186580 

phizsscore.gif 

19 

2008-05-01 20:38:00 

Kenny Lavitz 

64930 

kennysscore.gif 

20 

2008-05-01 20:38:23 

Jean Paul Jones 

243360 

jeanpaulsscore.gif 



ttigh s^oircs ih the database 

a 代 how sihde the 

Adrwih page is pv-otc^-tcd- 
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using http authentication 


Protecting the ftuitar Wars Admin page 

HTTP authentication works like this: when a user tries to access a page 
protected by authentication, such as our Admin page, they are presented 
with a window that asks them for a user name and password. 


丁 he web b\roy/sc\r uses a 
window like -this -fco v-c<\ucst 
a usc\r holrwc av\d fdsswov^d ^ 
bc-Po\rc allowih^ aucss -to a 
^oitdtd page. 


To keep things 
simple, -the 
passwo\rd ish’t 
Chd\ryptcd. 


T <3 view Lhi& n wd loa in to 

■fguiuf 刪 * 

wamfiii -mW be ic^ ^ 


This PUP supcv-globoll variable 
s-fcoves the usev* hdme ch*tc\rcd 
•m*to the authchtida-tioh w'rndow. 



SERVER['PHP AUTH USER' 


SERVER['PHP AUTH PW' 


TVis variable s*tovcs {\^t 
f>dssy/o\rd cy\*bcvcd 七 he 

y/'mdoy/. 


PHP enters the picture through its access to the user name and password 
entered by the user. They are stored in the $_SERVER superglobal, which 
is similar to other superglobals you’ve used ($—POST, $—FILES, etc.). A 
PHP script can analyze the user name and password entered by the user 
and decide if they should be allowed access to the protected page. Let’s 
say we only allow access to the Admin page if the user name is “rock” and 
the password is “roll.” Here’s how the Admin page is unlocked: 


t 


TV Admm 
cmly attcssiklc k 
CorYtd usev- y\3wc and 
passY/ov"d c^'tc'rcd- 






.SERVER [ ' p Hp 


.AUTH—PW ， j 


一 - I 

firft.rW ， i|| Eh .wmld 俞如 

麵 _ 


■ 


SERVER['PHP 一 AUTH 一 USER ’] 
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Dumb Quesd 


9ns 



Yes. And no. It all depends on what you're trying to accomplish with security. 
Nothing is ever truly 100% secure, so we’re always talking about degrees of 
security. For the purposes of protecting high scores in Guitar Wars, HTTP 
authentication provides a reasonable level of security. You could add encryption to 
the password to ramp that up a bit further. However, it’s probably not sufficient for 
an application involving data that is more sensitive, such as financial data. 

What happens if the user name and password are entered incorrectly? 



The browser emits a small electrical shock through the mouse. No, it’s 
nothing that harsh. Usually a message is displayed letting users know that they’re 
attempting to access a secure page that is apparently none of their business. It's 
ultimately up to you how grim you want this message to read. 

Does HTTP authentication require both a user name and password? 
What if I only want to use a password? 

You aren't required to use both a user name and password. If you just want 
a password, focus solely on checking the $_SERVER[‘PHP 一 AUTH 一 PW’] global 
variable. More on how this variable is checked in just a moment... 

How exactly do you protect a page with HTTP authentication? Do you 
call a PHP function? 

Yes, you do. HTTP authentication involves establishing a line of 
communication between the browser and the server through HTTP headers. You 
can think of a header as a short little conversation between the browser and the 
server. Browsers and servers use headers quite often to communicate outside of 
the context of PHP, but PHP does allow you to send a header, which is how HTTP 
authentication works. We're about to dig a lot deeper into headers and their role in 
HTTP authentication with PHP. 




When should the 
authentication of the Admin 
page actually take place? 
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authentication and headers 


HTTP authcwticatiow requires headers 


The idea behind HTTP authentication is that the server withholds a 
protected web page, and then asks the browser to prompt the user for a 
user name and password. If the user enters these correctly, the browser 
goes ahead and sends along the page. This dialog between browser and 
server takes place through headers, which are little text messages with 
specific instructions on what is being requested or delivered. 


All wet pages are 
delivered witk tke 


kelp ol Iteacters. 


Headers are actually used every time you visit a web page, not just when 
authentication is required. Here’s how a normal, unprotected web page is 
delivered from the server to the browser with the help of headers: 


Web server 


o 

The browser requests 
a page from the server 
by sending a couple of 
headers to identify the 
file being requested 
and the host name of 
the server. 


丁 his dollcdtioh o( 
hcadc\rs dohsti-tu-tes 
a v/cb page 



❺ 

The server responds 
with a collection of 
headers, followed by 
the requested page. 





index, php 


This g\roup o*p 

dohsti-tutes 
a web page jrcsjohsc. 



The browser receives 



the headers and the 
page, and renders the 
HTML code for the page. 


1 all is sa'»d ay\d 

V V^c 3 (icv*s 

help *to sudtcss-fully 
dcl'wcv- v-c<\ucs*tcd 

pay -to kvoy/sev. 
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A^afatny rf - 

a IieaJer 

Headers control precisely how and what kind of information is passed back and forth between 
a web browser and web server. An individual header often consists of a name/value pair that 
identifies a piece of information, such as the content type of a web page (HTML). A certain 
group of headers is sent to the server as part of a web page request, and then another group 
is returned to the browser as part of the response. Let’s take a closer look at these groups of 
headers to find out exactly what is sent as the client and server communicate with each other. 


^losi mdividual headers 
^ohsis-t of a hdme/value 
separated by a Co\ov\. 

TWis Readier sfedics 
bvov/sev 
do'rn^ i\\t 




GET / index.php HTTP 

Host: www.guitarwars 




LCtTonT^cTose 

User-Agent: Mozilla/5T 
Accept-unarset : T 
Cache-Control : no 
Accept-Language : de A en; 


The -Pi\rs-t header 
ish t 3 y)3me/ v^lue 

pa’Hr — it’s the ^BT 

^C<\ucsi -fov- the 

P 乎 


Tiic -f ivst iicadcv- is *biic 

severs HTTP resfcmse. 




HTTP/ 1.1 200 i i . ?? • 09 GMT 

Date ： -rhu, 2008 11 . 仏⑽ 

Server : Apache/ 2 . 0 . 54 . 

X-Powered-By ： PHP/5.2.5 
Trans ^ pr ~E nroc ^^- nCi -" 复 e 
"Content-Type: text/html 


This headev- tells the 
b\rowse\r -that "the 
is WT/WL Code, ais opposed 
■to say, fU'm text. 


TV^c HTML to^i ^ov 
pa^c *»s dclWcv-cd - 
j u s*b a-f*tcv- V\cadcv-s. 


index.php 


Headers matter to us in regard to Guitar Wars because they provide the mechanism for 
disrupting the delivery of a page from the server and requiring the user to enter a user name 
and password before it can be delivered. In other words, you have to tweak the headers 
returned by the server to protect a page with HTTP authentication. 
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interview with a header 



HcSticv Exposed 

This week’s interview: 
What’s all the fuss about? 


Head First ： You seem to be grabbing a lot of attention 
when it comes to authenticating web pages. Is it really 
justified, or are you just looking for your fifteen minutes of 
virtual fame? 

Header ： Oh, I’m justified alright. You more than likely 
take for granted that I play a role in delivering every 
single web page in existence. So I guess you could say the 
web wouldn’t even work without me in the picture. I’ll be 
around a lot longer than fifteen minutes, even if I do go 
largely underappreciated. 

Head First ： So what exactly is this role you play? 

Header ： You have to understand that web browsers and 
web servers aren’t people, so they can’t just call each other 
up on the phone or send a text message. 

Head First: OMG! 

Header ： Yeah, I know, it’s a little shocking but machines 
just don’t communicate the same way people do. But 
browsers and servers still have to communicate, and they 
do so using me. 

Head First ： So how does that work? 

Header ： When someone types in a URL or clicks a link 
on a web page, the browser assembles a GET request that 
it sends to the server. This request is packaged into a series 
of headers, each of which contains information about 
the request. The headers hold information like the name 
and host of the page being requested, the type of browser 
doing the requesting, etc. 

Head First ： I still don’t see why that’s important. 

Header ： Well, do you think it’s important when you 
tell the person at the coffee shop that you want a giganto 
vanilla espressiato with skim milk? 

Head First: Of course, they need to know what I want. 

Header ： That’s the same idea here. The browser tells 
the server what it wants by packaging the request up and 
sending it along in headers. 


Head First ： Interesting. But I heard that servers can send 
headers as well. I thought servers just sent back web pages. 

Header ： Ah, good question. I am just as important on 
the other side of the communication because the server 
has to do more than just dump a bunch of content on the 
browser. The browser wouldn’t have a clue what to do 
with it without knowing a bit more. 

Head First ： Such as what? 

Header ： The type of the content, for one thing. That’s 
probably the most important thing, but the server also 
sends along other stuff like the size of the content, the 
date and time of the delivery, and so on. 

Head First ： When does the web page itself get sent? 

Header ： Right after the server sends me to the browser, 
it follows up with the actual content, be it HTML code, 
PDF data, or image data such as a GIF or JPEG image. 

Head First ： OK, I’m starting to see how you work 
in regard to normal web pages. But what about this 
authentication stuff? 

Header ： I play the same role for an authenticated web 
page as I do for a normal web page except that I also take 
care of letting the browser know that the page must be 
authenticated. That way the browser can prompt the user 
for authentication information. 

Head First ： You mean a user name and password? 

Header ： Exactly. And then it’s up to PHP code on the 
server to decide if the user name and password match up, 
in which case, the server can go ahead and send along the 
rest of the page. 

Head First ： Fascinating. Thanks for the heads up. 
Header ： No problem. That’s just part of my job. 
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Take control of headers with PHP 

Using PHP, you can carefully control the headers sent by the server to the 
browser, opening up the possibilities for performing header-driven tasks 
such as HTTP authentication. The built-in header () function is how a 
header is sent from the server to the browser from within a PHP script. 

header(▼Content-Type : text/html'); 

The header () function immediately sends a header from the server to 
the browser and must be called before any actual content is sent to the 
browser. This is a very strict requirement — if even a single character or 
space is sent ahead of a header, the browser will reject it with an error. For 
this reason, calls to the header () function should precede any HTML 
code in a PHP script: 


Tke keaderO 
lunction lets you 
create and send 
a keader from a 

PHP script. 


By\ cv-v-ay\*t spate 

before *tKc <?\>^\> 
y/ould tausc cv-v-ov- ^ 

•m *tWis strict <?php 




header('Content-Type : text/html'); 


Spaces mside of 七 he 

?> arcr!i ?〉 


Tk sc\rvc\r schds this header io 
the b\rowsc\r -Po\r pv-odcssihft bcW 
at-temp-tihg -to schd ahy Jr the 

ft TAIL doh-tcht ih the 


d problem bcddusc 
{}\t^ a\r ⑼’七 passed 
dloy\5 -to *tv^c bvoy/sc\r. 


<html xmlns="http :// www.w3.org/1999 / xhtml" xml : lang="en M lang="en" 


> 


</html> 



All this header stuff is fascinating, 
but how do we actually use it to 
protect pages with authentication? 
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how header authentication works 


Authcwticatiwg with headers 

Authenticating the Guitar Wars Admin page using headers involves 
crafting a very specific set of headers, two in fact, that let the browser 
know to prompt the user for a user name and password before delivering 
the page. These two headers are generated by PHP code in the Admin 
script, and control the delivery of the page to the browser. 


：iOh 


WTTP authchtidati 

Kcadc\rs scht -pv-om the 
scv-vc\r "to the bv-owsev-. 


HTTP/1.1 401 Unauthorized 
WWW-Authenticate : , 

Basic realm="Guitar Wars 


Web server 



r 

Bc-fov-c dclivcv-'m^ yb 

i\\t pay *to 

kvoy/sc^r, sc^rvcv ^otcsscs 
a 叫 V^cadcv-s *tV^c pay. 



Client web 
browser 


Two speciiic keaders 
are reejuirect to request 
tke autlientication ol a 
wet page. 


Tiic bvo>wscv- 
pvomfU usev 
•bo ⑶七伙 a usev- 

and passv/ovd- 


J° v *E：tv thii pgppt, you n«fd (d lo^ to 
"CuiiaF WirT an ■切 



The two headers required to initiate authentication do two very 
specific things: 

This hcadc\r lets the 
b\rowsc\r khow thol-t the 

HTTP/1.1 401 unauthorized 1 usc\r is hot 

- " to view -the page. 




This \\tadtr asks i\\t b\ro>wscv 
\x> attemf 七 *to au*tKcr>*ti^a*tc 
-tKc usev by pv-omptm^ (or d 
usev" r>dmC and p3ssy/oV"d- 


-Authenticate : Basic realm= M Guitar Wars' 


The W basi£. is jus-t d phvasc 

used bo u^i^udy idc^ii-fy 七 “is 
pav-tidulav- auihcr>iidaiio^—i-t appears 
… "the y/mdow. 
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After processing the authentication headers, the browser waits for the 
user to take action via the authentication window. The browser takes 
a dramatically different action in response to what the user does... 




GuScar Wjrm Hi^h AdmyiSirj'j.ilan 


Cuitat Wars - High Scores Admiidstration 

Below is aliHofoJi Guimr Wsr SMnts, Us* ihis e remove Korea ot nesdcd. 



■Iflcob Score terson ZOKS-OM] 
ftpliEn Chivy 2D0 £-Q^j0 I 

Jeaii Paui]』cacs lOtK-OM] 

PB& Jjiraon ztxts- 03 - 0 ] 

raicfi JjudQnuL^, ZD0fi-0H3ll 

Nwil Jiifiaruufln 200£>05431 

Ktwiny Li^lu SKJS-OM] 


ZtTJfiolJ JMJ 74 W Kemovr 
2ft»S6dQT *2S24Tfl 

- 24320U Kcmovf 
3fc57bW ] B*3Slf Rfnvivf 
2fl:37:2?l IITi^Rhibvc 
2 CfcJ 7 il Ri^ffyjvc 

加祕■扣 Remove 


TV HTML Cov\itY\i -fov i\\t 

AcWm is dclivcvcd a-ftc 
七 he sutd.css-ful cr\*tv-y <^f 
usev a^d passy/ovd- 




admin.php 


ttc\rc s ilic 
irealrJ 




l-p the usev- hame 
pdsswov^d sve 
'^o\r^i\y submitted, 

七 he au-thch-tidatioh —^ U 

wihdow jus-t prompts 
七 he usc\r agaih. 



Ta view Lhii nrfJ %a loa in lu a'W 

T.u«w Wirr an vwtf^-euiutwari.rwir 

y 抑 wll Ik rAt*r. 

MUM ： L- 

Pmh.hwwd ： 


A n n 


Guiyar Wirfe ■ Utah 5 wr«a 


Sojry.jrau nwit cuter a vtlWusw name awl paswart h 峨 u 仇 is 



f[r\ has 扣 oppovtu^'rty 

-to c%i*t sdv*if*t a^d display a 

dus*tom denial message i-f a usev 
dar>dcls ou*t o( *tiiC au*tiiC^tidatior\ 



W 1 


0 


If the user enters the correct user name and 
password, and clicks Log In, the server sends 
the HTML content of the admin . php page 
to the browser. The browser displays the Admin 
page, and the user can then remove scores just 
like the previous unprotected version. 


n 


If the user enters the incorrect user name and 
password, and clicks Log In, the server tells the 
browser to prompt the user again. The browser 
continues this process as long as the user 
keeps entering incorrect user name/password 
combinations. In other words, if they don’t 
know the user name and password, their only 
way out is to click Cancel. 




If the user clicks the Cancel button to bail out of 
the authentication, the server sends the browser a 
page with a denial message, and nothing else — the 
admin . php page is not sent. The denial message 
is controlled by PHP code in the admin . php 
script that is closely associated with the headers. 
This code calls the PHP exit () function to 
display a message and immediately exit the script: 


exit('<h2>Guitar Wars</h2>Sorry, you must enter a valid 
'user name and password to access this page .')； 
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finish the authentication code 



PHP Magnets 

The Guitar Wars Admin script is missing several important pieces 
of PHP code that provide HTTP authentication. Use the magnets to 
fill in the missing code and use headers to make the Admin page 
secure. Hint: Some magnets may be used more than once. 


<?php 

// 


User name and password for authentication 


rock 1 ; 


roll 1 ； 


I I 


||($ SERVER[ 1 PHP_AUTH_PW'] 


)I I 

if ( 1isset ( . 

. ••雖••春 ••參 ••畢 _••••*** 舉參 * ■"參 * 

! isset ( . 

#參•參 •鲁* ••參 ••••••** 籲** ■雖 

($_SERVER[ , PHP_AUTH_USER , ] != 

//Th e user name/password are incorrect so send the authentication headers 

(▼HTTP/1.1 401 Unauthorized 1 )； 

('WWW-Authenticate : Basic realm:.) ’ 

. ( » <h2>Guitar Wars</h2>Sorry, you must enter a valid user name and password to 

' access this page . ' ) } 


)){ 


?> 


<html xmlns= n http 


</html> 


:// w 舊 .w 3 .org/ 1999 /xhtml” xml •• lang 二 ” en” lang= n en"> 



[ 一 SERVER] 









admin.php 
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I wonder if \Ys possible 
to send other kinds of 
headers using PHP? 


y 

鐮 


Indeed it is... headers aren’t just for security 

Although authentication presents the immediate need for headers, they 
are quite flexible and can do lots of other interesting things. Just call the 
header () function with the appropriate name/value pair, like this: 


oy/sc\r is 


^rcdnrc^tcd {jo 

"the About 

upoh vcdciv'mg 
this headev-. 


*"'""""<?php 


header('Location : http : //www.guitarwars.net/about.php'); 


?> 


The header is called a location header and redirects the current page to 
a page called about. php on the same Guitar Wars site. Here we use a 
similar header to redirect to the about. php page after five seconds: 


鹌 


Tiic bvoy/sev- is 
vcdiv-ct*tcd *to 
About a-ftev- 

弓 sedor>dis- 




<?php 

header('Refresh : 5; url=http :/ /www.guitarwars.net/about.php'); 
echo 'In 5 seconds you'll be taken to the About page.'; 

?> 



Headers must 
be the very 
first thing sent 
to the browser 
in a PHP file. 


Because headers must be 
sent before any content, it is 
extremely important to not 
allow even a single space to 
appear outside of PHP code 
before calling the header () 
function in a PHP script. 


This header is called a refresh header since it refreshes a page after 
a period of time has elapsed. You often see the URL in such headers 
reference the current page so that it refreshes itself. 

One last header is called a content type header because it controls the 
type of the content being delivered by the server. As an example, you can 
force a page to be plain text, as opposed to HTML, by using the following 
header when calling the header () function: 


<?php 


The is dclivcv-cd {o 

the b\roY/sc\r as 


header('Content-Type : text/plain'); 

echo 'This <strong>text</strong> won't actually be bold.'; 


?> 

In this example, the text echoed to the browser is displayed exactly as 
shown with no special formatting. In other words, the server is telling the 
browser not to render the echoed content as HTML, so the HTML tags 
are displayed literally as text. 
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PHP Magnets Solution 

The Guitar Wars Admin script is missing several important pieces 
of PHP code that provide HTTP authentication. Use the magnets to 
fill in the missing code and use headers to make the Admin page 
secure. Hint: Some magnets may be used more than once. 


// uLer name and password for authentication 

The usev- a^d p3ss>wovd 


H 

1 username 1 

FI 

password | 


rock 


av-c s-fcoved \y\ vairiables 


roll 


.stairt -the script 


The f_£BK\/BK supevglobal 

provides a^^css -to the 
usc\r Y\an\t av\d pdsswov-d 
ty\icrtd by the usev- m the 
au-thch-ti^atio^ w'rndow. 


if (!isset ( 


PHP AUTH 一 USER 


I I 


!isset ( 


SERVER 


PHP AUTH PW 


I I 


($ SERVER [ ， PHP—AUTH— USER’] 


_ u — — ^username | H ($_SERVER [ * PHP_AUTH_PW -] 

// The user name/password are incorrect so send the authentication headers 

—^ - T 



)){ 


header \ ( 1 HTTP/ 1•1 401 Unauthorized 1 ) 

( 1 WWW-Authenticate : Basic realm: 


1 )； 


The usc\r-Chtc\rcd USCV- holme 
password a\rc c\\ttVtd 
the vc^uivcd OhCS. 


exit r< h2 >GuitarWars</h2>Sorry, you must enter a valid user\am^and password to 

- ^ r . , , . , , TV^c W tails *to -tV^c V^cadcvO 

1 access this page . ') } Th f ^ i0 displays a d^ia ^cssay a^d wU— ^adevs 

makes suv-C 的 o*thma else is bo {he b\rov/sc\r m : ,, 丄 “ 

the eve,t a, 以 k se.t tV,e 

<html xmlns="http://www.w3.org/1999/xhtml " 观 1 •• lang:”en” lan g :”en”> 


?> 


</html> 


W 。 ftT/VIL todt is 
delivered *fco *tKc b\rowscv" 
uivtil the headers 
av*c scht 3hd p\rodcsscd- 


HTTP/1.1 401 Unauthorized 
WWW-Authenticate: 

Basic realm=”Guitar Wars' 



admin.php 
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securing your application 




Tesr DriVq 


Add HTTP authorization to the Admin script. 

Modify the admin . php script to use HTTP authentication so that only you have access to it. 
Upload the script to your web server and then open it in your web browser. Try entering the 
wrong user name and password first to see how access is restricted. 



theveiWCe no ^ 

Dumb Questions 


When exactly does the exit () function get called in the Does the “basic realm" of an HTTP authentication have 

Guitar Wars Admin script? any real purpose? 




n am ，管 

h-Jl" ■ 




I 麗， — 


yrmT IT - ■ l 

'mm 

smtfl !• I h 1 ， u Ub feMBC 

_ ZShMMai lb« Wlil'lHBi 




■ 蕭 S£WTH 




it V 畤 -M* 




Pj_j jjTiy— ■ aia *1 s 

it ■ sum ■■的 Bam 

mi-Hiai mmhmw |ki 


S^o\rcs t be v-emoved 
without authorization. 


^ usev* y>3mC 
av\A fassv/ov-d 
Y\0^l pvcvcir>*t 
ur>au*thov'izjcd 
atdess *to *tV>c 

Ad 眯… 


TV ^ui-tav- l/^avViov-s are 
s*tokcd about iVi 价 
score, application y\o>n 
bem5 sa-fc dy\d setuvef 


Even though the exit () function appears in the PHP code 
just below the two calls to the header () function, it's only called 
if the user cancels out of the authentication window by clicking the 
Cancel button. If the authentication fails, the server doesn't continue 
executing past the two header () calls. Instead, it resends the 
headers and tries again. Only if the user clicks Cancel does the 
server make it to the exit () function, in which case it sends 
along the content within the function call and nothing else. If the 
authentication succeeds, exit () isn’t called because the script 
never makes it inside the if statement—the code inside the if 
statement is only executed if the user name and password aren’t set 
or have been entered incorrectly. 


Yes. It defines a security “zone” that is protected by a particular 
user name and password. Once the user name and password 
have been successfully entered for a given realm, the browser will 
remember it and not continue to display the authentication window for 
subsequent authentication headers in the same realm. In other words, 
realms allow a browser to remember that you’ve met the security 
requirements for a given collection of pages—just specify the same 
realm for the authentication headers in the pages. 
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another security problem... 




http://www.guitarwars.net/ 
removescore.php?id=1 O&na 
me=Jacob%20Scorcherson& 
date=2008-05-01 %2020:36:4 
5&score=389740& 
screenshot=jacobsscore.gif 


Suv-c, its bu*t URL *to 

i\\t vcmovcsdov-c fhf docs mdccd 

s*idcs*tcf 七 he scduvc admm fhf 


I 七 scc^s ou\r ^u'i*tav l/Vav-s 
villains -f i^uvcd ou*t a 
y/3y 3\rour>d ouv 
a*t sctuvm^ ^ui*t3v- lA/av-s. 


OK, so maybe Guitar Wars is NOT secure 

Talk about short-lived success. It didn’t take long at all for villainy to strike 
again, blitzing the scores from Guitar Wars and yet again frustrating 
hordes of competitive gamers. It seems that securing the Admin page 
alone wasn’t enough since the Remove Score script can still be accessed 
directly... if you know what you’re doing. 


Write down how you think we can solve this latest attack，and 
prevent high scores from being deleted: 
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securing your application 


We need to secure the Remove Score 
script, and I'm pretty sure we can just use 
HTTP authentication again. 



Joe ： That makes sense. I mean, it worked fine for the Admin page. 

Frank: That’s true. So all we have to do is put the same header authorization code in 
the Remove Score script, and we’re good to go, right? 

Jill: Yes, that will certainly work. But I worry about duplicating all that authorization 
code in two places. What happens if later on we add another page that needs to be 
protected? Do we duplicate the code yet again? 

Joe ： Code duplication is definitely a problem. Especially since there is a user name 
and password that all the scripts need to share. If we ever wanted to change those, 
we’d have to make the change in every protected script. 

Frank: I’ve got it! How about putting the $username and $password variables 
into their own include file, and then sharing that between the protected scripts. We 
could even put it in an appvars . php include file for application variables. 

Joe ： I like where you’re headed but that solution only deals with a small part of the 
code duplication. Remember, we’re talking about a decent sized little chunk of code. 


<?php 

// User name and password for authentication 
$username = 'rock'; 

$password = 'roll'; 

if (! isset($_SERVER['PHP_AUTH_USER' ] ) I I ! isset($—SERVER [' PHP AUTH PW ']) II 

/ Hh ERVER C ' PHP - AUTH - USER ' ] !=$username) | | ( $_SERVER [ ' PHP_AUTH_PW 7 ] ! = $password) ) { 

//he user name/password are incorrect so send the authentication headers 
header( 'HTTP/1.1 401 Unauthorized ')； 

header ( ' WWW-Authenticate : Basic realm= M Guitar Wars M ')； 

} GXlt(，<h2>GUitar Wars </h2>Sorry, you must enter a valid user name and password to access this page 
?> 


<html> 


^ ISs 




admin.php 


Jill: You’re both right, and that’s why I think we need a new include file that stores away all of the 
authorization code, not just the $username and $password variables. 

Frank: Ah, and we can just include that script in any page we want to protect with HTTP authorization. 

Joe ： That’s right! We just have to make sure we always include it first thing since it relies on headers for 
all the HTTP authorization stuff. 
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creating authorize.php 


Create m Authorize script 

We already have all the code we need for a new Authorize script; it’s 
just a matter of moving the code from admin . php to a new script 
file (authorize . php), and replacing the original code with a 
require once statement. 


WlcVe tWis CoAt 

so 七 1 ^七 

y/e plate i*t I*ts ovm 
sd\r'i\>t -Vile, 


if (lisset($_SERVER['PHP_AUTH_USER']) I I !isset($—SERVER['PHP AUTH PW']) | | 

/ /^he ' PHP - A y TH - USER ' ] != $username) || ($_SERVER [ ' PHP_KuTH_PW'] != $password) ) { 

J ，V name/password are incorrect so send the authentication headers 
header('HTTP/1.1 401 Unauthorized') ； 

header ( 1 WWW-Authenticate : Basic realm= n Guitar Wars f, 1 )； 

} eXit(，<h2>GUitar Wars </h2>Sorry, you must enter a valid user name and password to access this page.') 

<html> 

<head> 

<meta http-equiv="Content-Type" content="text/html ； charset=utf-8" /> 

<title>Guitar Wars-High Scores Administration</title> 

〈link rel="stylesheet" type="text/css" href="style css” /> 

</head> ' 

<body> 

<h2>Guitar Wars-High Scores Administration</h2> 

<p>Below is a list of all Guitar Wars high scores. Use this page to remove scores as needed.</p> 

<?php 

require_once( f appvars.php ， ）； 
require_once( f connectvars•php 1 ); 

// Connect to the database 

$dbc = mysqli—connect(DB—HOST, DB—USER, DB—PASSWORD, DB NAME); 

// Retrieve the score data from MySQL 

$query = "SELECT * FROM guitarwars ORDER BY score DESC, date ASC"; 

$data = mysqli—query($dbc, $query); 

// Loop through the array of score data, formatting it as HTML 
echo '<table>'; 

while ($row = mysqli—fetch—array($data)) { 

// Display the score data 
echo ' <tr class="scorerow"xtd><strong> ' 
echo '<td>' . $row['date'] . '</td>'; 
echo '<td>' . $row f'score'] . '</td >'； 

echo '<td><a href="removescore.php?id=' 

&amp;name=' . $row['name'] '&amp;score 

&amp;screenshot=' $row['screenshot'] 


$row['name'] . '</strong></td>'; 


$row['id'] . '&amp;date=' . $row t'date'] 
.$row['score']. 
'>Remove</a></tdx/tr >'； 


echo , </table> , 


mysqli 一 close($dbc); 


?> 


</body> 

</html> 



admin.php 
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securing your application 


•II user name and password for authentication 
$username = ' rock'; 

$password= 'roll. 


incy Shave the sar^c useir 3hd password. 

if (!isset($ SERVER [-PHP_AUTH USER-]) 1 ' ! ^ErT'^^ } 

($ SERVER[--PHP_AUTH_USERM ㈠ 咖：二脈 ） headers 
//"The user name/password are incorrect so send the authentxc^ - 

header (' HTTP/1.1 401 Unauthorized') ； = ars „, } . >^： . 

header ('WWW-Authenticate: Basic rea m pnte r a valid user name and password to access this page ., 
exit ( ， <h2>Guitar Wars</h2>Sorry, you must enter a valiaus - - 



authorize.php 


The siidv-ed A^ovizjC sdvif 七 is mdludcd 
a 七七 he vcv-y bc5*mr>*m5 o( *tK*is sdvif 七 
s\y\U \i dalls 七 he hcadcv -0 


<?php 

require—once('authorize.php') 
?> 


<html> 


<?php 

require—once('authorize.php') 
?> 

<html> 



The authch-tidol-tioh CoAt 
•… "the Adrwih sdvip't is 
v-cpla^cd with ai s'm^le 
lihC Pl+P toAc 




admin.php 


removescore.php 


BULLET POINTS - 

■ PHP scripts can use headers to control how the server 
delivers web content to the browser. 

■ The built-in PHP header () function is used to send 
headers to the browser, which can be used to redirect a 
page, control the content type of a page, or request the 
authentication of a page. 

■ When headers are sent to the browser using the 
header () function, calls to the header () function 
must come before any other content is sent. 


■ When a page is protected using HTTP authentication, 
the user name and password entered by the user are 
stored in the $_server superglobal. 

■ The “basic realm” of an HTTP authentication is a 
security zone that gets associated with a specific user 
name and password, allowing multiple pages to be 
secured together. 

■ The built-in PHP exit () function exits a PHP script, 
preventing any code following it from being executed or 
otherwise sent to the browser. 


you are here ► 


315 



















secur/fy no dumb quesf/ons 



I still don’t fully understand how Ethel got around the security 
in Guitar Wars. What did she do? 

She capitalized on the weakness inherent in only protecting one page 
(Admin) when the remove score feature really relies on two pages (Admin 
and Remove Score). The Admin page presents a series of Remove links 
that link to the Remove Score page. The specifics about which score to 
remove are passed in the URL, allowing the Remove Score script to access 
them through the $_GET superglobal. If you were able to put together a 
legit URL for the Remove Score page, you could remove scores without 
even going through the Admin page. That’s what Ethel did. 

Q/ But how did she know how to structure the URL to the Remove 
Score page? 

She’s pretty crafty, but this task didn’t require a genius. Remember 
she mentioned bookmarking the Remove Score page back when the whole 
site was unprotected. Well, a bookmark is just a URL, and she was able to 
use it to construct a URL that directly accessed the Remove Score page 
without having to go through the Admin page. 

OK, but the high scores had been re-entered since the previous 
attack. Doesn’t that mean the old URLs wouldn’t work since the dates 
are different? 

Yes, that’s a very good point. But remember, Ethel is pretty clever. 

She could easily look at the main Guitar Wars page and see the new dates, 
which she then plugged into the old URL to remove the new scores without 
any trouble. It's important to never underestimate the ability of determined 
people to reverse-engineer your PHP scripts and exploit weaknesses. 

Alright, so protecting both the Admin and Remove Score pages 
stops Ethel, but don’t they now make it a total hassle to remove 
scores legitimately? 

No, not at all. Without the help of realms, it would definitely be a 
hassle removing scores legitimately because you’d have to enter the user 
name and password separately for the Admin and Remove Score pages. 
But remember that a realm was established that is the same in both pages, 
meaning that the pages fall under the same security zone. And once you 
go through the authentication window for a page in a given realm, the user 
name and password are remembered throughout the realm. The end result 
is that successfully entering the user name and password once is sufficient 
to unlock both pages. 



Never underestimate tke 
ability ol cteterminect 
people to reverse-engfineer 
your PHP scripts and 
exploit weaknesses. 
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Tesr DriVq 


Create the Authorize script and include it in the Admin and Remove 
Score scripts to secure them. 

Create a new text file called authorize . php, and enter the code for the Authorize script 
into it. Then modify the admin . php script so that it includes the Authorize script instead 
of the actual HTTP authentication code. Add the same require_once statement to 
the beginning of the removescore • php script so that it is also protected by HTTP 
authentication. 

Upload all of the scripts to your web server and then try to open the Remove Score script 
directly in your web browser. You may have to clear any previous HTTP authentication 
sessions in your browser for it to prompt you again — most browsers remember an 
authentication realm so that you don’t have to keep re-entering the user name and password. 


n n n 





http :/ /www.guitarwars.net/removescore.php? 
id=10& 

name=Jacob% 2 0 Scorcherson& 
date=2008-05-01%2020:36:45& 
score=389740& 

screenshot=jacobsscore.gif 




This URL bypasses i\\t 
Adm'm fay dr^d atusscs Ac 
Remove Sdov-c divc^tly- 



Can you think of any other 
ways the Guitar Wars high 
score application is at risk? 


The Remove S^o\rc is 
^oitdtA \rcgav-dlcss Jc 
how the usc\r gets -to it. 


r>nn 


A user av\d are 

y \ o>n vc<\ui\rcd -fo\r bo*bii 
Adm'm dr^d Remove S^ovc 


卟 is flajic, nttd to log in Id aru 

fiuiLar ewi ■ siu iC ji ruu r 、， 


pmwcirS iMUbp wnl Inll^ ^ifui 

Password 




【■mm ~ Ror.：, V f. .； 


Gdur Wars. Remove a High Score 

Tl» high of 3 t4m &r m ^ 

、•: E&ck 俗 jtdmin 
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a fake score debacle 


High Score 

ftuitar Wars Episode II : Attack of the Clones 

Sadly, happiness in the Guitar Wars universe didn’t last for long, as bogus scores 
are showing up in the application in place of legitimate scores... and still inciting 
rage throughout the Guitar Wars universe. Apparently it’s entirely possible to 
disrupt the Guitar Wars high score list without removing scores. But how? 




Gu!U: rtdrs- - tlisn 5tanii 


Guitar Wars - High Scores 

WcJkihu^ Lriiwitr WanMf r flo- yws haw v^tiai w takes co iCRKfc ibe fi 違 h store list . 1 if jMH 


Top Score: 500000 


smm 

>iiimir2 F_lhc] Hcutel 
I>uLcs 2DQ51-QS-02 14112:54 


389740 

MfiHic-: J'awfrScflircfttraMi 
Untet ax)ft-Li 3 - 0 ] 30 :^:- 1-3 


G u i t a r 


Nana- 

EttielHccL 



&thel’s -feop stove is dearly 
suspect due bo "the poov-ly 
dodored sd\rccK> sho 七 an j 
七 he -fadi ihai she happened 

■to score e^a^ily ^00,000. 


score 


screenshot 


22 


Belita CHevy 

282470 

2008-05-01 20:36:45 

Jacob Scorcherson 

389740 

23 

2008-05-01 20:37:02 

Nevil Johansson 

98430 

24 

2008-05-01 20:37:23 

Paco Jastorius 

127650 

25 

2008-05-01 20:37:40 

Phiz Lairston 

186580 

26 

2008-05-01 20:38:00 

Kenny Lavitz 

64930 | 

27 

2008-05-01 20:38:23 

Jean Paul Jones 

243260 

28 

2008-05-01 21 : 14:56 

Leddy Gee 

308710 

29 

^ —- 

2008-05-01 21:15:17 

T-Bone Taylor 



OP 2008-05-02 14:02:54 


Ethel Heckel 


belitasscore.gif 
jacobsscore.gif 
nevilsscore.gif 
pacosscore.gif 
phizsscore.gif 
kennysscore.gif 
jeanpaulsscore.gif 
leddysscore.gif 


500000 ethelsscore.gi^^ 
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securing your application 


Subtraction by addition 

Until now we’ve operated under the assumption that any high score submitted 
with a screen shot image is considered verified. It’s now reasonably safe to say 
this is not the case! And it’s pretty clear who the culprit is... 





Oh yeah, ifs me... guilty as charged! All I 
had to do was post my awesomely fake scores 
with touched-up screen shots. Ah, ifs good to 
be the top Guitar Warrior. 


v-caliz^d tould 

V^avot by simply 

bo^us stoves dofi.*tov*cd 


Write down how you would solve the problem of people being 
able to post bogus high scores to the Guitar Wars application: 
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guitar wars needs human moderation 


Security requires humaws 


Even in this modern world we live in, sometimes you can’t beat a real 
live thinking, breathing human being. In this case, it’s hard to beat a real 
person when it comes to analyzing a piece of information and assessing 
whether or not it is valid. We’re talking about moderation, where a human 
is put in charge of approving content posted to a web application before it 
is made visible to the general public. 


acts added 仫从 c database Wt 
appear *to *tKc uyrtil 

a ^odc^ra-bov a\>\>^ovcs 

Xiic adds a 於 

stove so -bV^a-t i*b cav\ 
be appv-oved. 


Score Af'fLnn 


Human moderation 
is an excellent way 
to improve tke 
integrity oi user- 
sutmittect content. 



Simply adding a hCw 

docs^i au-tomaiiddlly 
3dd it "to "the publicly visible 
high s^o\rc lis-t ahymov-e- 



Guitar Wars could really use some human moderation. Sure, it’s still 
possible that someone could carefully doctor a screen shot and maybe 
still sneak a score by a human moderator. But it wouldn’t be easy, and it 
doesn’t change the fact that moderation is a great deterrent. Keep in mind 
that securing a PHP application is largely about prevention. 

Ouv -Pca\rlcss ^ui-ta\ 
l/Vivs rwodc\r3"fcoV •… hcvcv- 
你 ei a high sdovc he 
\really ahd lv-uly Ousted. 
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securing your application 


Plaw for moderation m ftuitar Wars 


Adding a human moderation feature to Guitar Wars is significant because 
it affects several parts of the application. The database must change, a new 
script must be created to carry out an approval, the Admin page must add 
an “Approve” link to each score, and finally, the main page must change to 
only show approved scores. With this many changes involved, it’s important 
to map out a plan and carry out each change one step at a time. 


Use alter to add an approved column 
** to the table. 

Let，s start with the database, which needs a new 
column for keeping up with whether or not a score 
has been approved. 


id 

da,e 

name 

score 

screenshot 

approved 




28 

2008-05-01 21:14:56 

Leddy Gee 

308710 

leddysscore.gif 

0 

29 

2008-05-01 21:15:17 

T-Bone Taylor 

354190 

tbonesscore.gif 

0 

30 

2008-05-02 14:02:54 

Ethel Heckel 

500000 

ethelsscore.gif 

0 

31 

2008-05-02 20:32:54 

Biff Jeck 

314340 

biffsscore.gif 

0 

32 

2008-05-02 20:36:38 

Pez Law 

322710 

pezsscore.gif 

0 


^ Modify the Admin page to include an 
y “Approve” link for scores that have yel 
to be approved. 

The Approve Score script is a back-end script that 
shouldn’t normally be accessed directly. Instead, it 
is accessed through “Approve” links generated and 
displayed on the Admin page — only unapproved 
scores have the “Approve” link next to them. 


HidlB U l 


¥■^1 - Rig fa 

Hi 

rMiHnU JHQEiit .inui 

aXBOVCi 暑 OBnrMi 


K 

■■ ，卜 . • ■ j « ■- - \ J 

LuUgb 

4 ,3mm mn mmii •xlin tuv k 

IhH 

mml.ttmt Mlftn 

P * M 31 >gfWfi 

t ■ IBAiAaK iUKi H _r», 

n: ms ^yic 


0 Create an Approve Score script that 
handles approving a new high score 
(sets the approved column to 1). 

With the database ready to accommodate high 
score approvals, you need a script to actually handle 
approving a score. This Approve Score script is 
responsible for looking up a specific score in the 
database and changing the approved column for it. 



6 Change the query on the main page to 
only show approved scores. 


The last step is to make sure all this approval stuff 
gets factored into the main high score view. So the 
main page of the application changes to only show 
high scores that have been approved 一 without this 
change, all the other approval modifications would 
be pointless. 
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add an approved column to the guitarwars table 


Make room for approvals with ALTER 

Adding the new approved column to the guitarwars table involves 
a one-time usage of the ALTER TABLE statement, which is an SQL 
statement we’ve used before. 

/ Tk data ^ 001 

ALTER TABLE guitarwars ^ ^ a) - as ^ ov . JIKVIKT, so 

ADD COLUMN approved TINYINT y ou use 


The new approved column is a TINYINT that uses 0 to indicate 
an unapproved score, or 1 to indicate an approved score. So all new 
scores should start out with a value of 0 to indicate that they are 

initially unapproved. 


6 


Use alter to add an 
approved column to 
the table. 



O 


Wait a minute. I don’t think you can just go 
adding a column to the database without 
changing the Add Score script—shouldn’t it 
INSERT data into the new column? 


It’s true, a new column means a new value in the insert query 
in the Add Score script. 

It’s important to not lose sight of the fact that a PHP application is a careful 
orchestration of several pieces and parts: a database consisting of tables with rows and 
columns, PHP code, HTML code, and usually CSS code. It’s not always immediately 
apparent that changing one part requires changing another. Adding the new 
approved column in the guitarwars table for the sake of the new Approve Score 
script also requires modifying the INSERT query in the Add Score script: 


INSERT INTO guitarwars 
VALUES (0, NOW(), 1 $name 


All msevtcd store, v-oy/s 

Kave set O … ur\appv-ovcdf 

1 $score 1 r ▼$screenshot', 0) 



2008-05-02 14:02:54 
2008-05-02 20:32:54 



Ethel Heckel 
Biff Jeck 


500000 

314340 


322710 


ethelsscore.gif 

biffsscore.gif 


pezsscore.gif 




d toluwm is 
added, i*b appv-oved 
dolumr\ is sc*t {jo O so 
Aa 七 I 七 s-tav-b ou*t 
ur\appv-ovcdi. 
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securing your application 



rperi your pencil 


<?php 


The Approve Score script is similar in structure to the Remove Score script 
except that its job is to approve a score. Finish the missing code for the 
Approve Score script, making sure to secure the page and only approve the 
appropriate score based on score data passed through a URL. 


?> 


<?php 

require_once(*appvars.php *); 
require_once('connectvars.php'); 

參 • • 

if (isset($_POST['submit'])) { 

if ( ) { 

// Connect to the database 

$dbc = mysqli_connect(DB—HOST, DB—USER, DB_PASSWORD, DB—NAME); 

// Approve the score by setting the approved column in the database 
$query = "UPDATE guitarwars SET 
mysqli—query($dbc, $query); 
mysqli_close($dbc); 

// Confirm success with the user 
echo 


else { 
echo 


echo * <p><a href=" ">&lt;&lt; Back to admin page</a></p>▼; 
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the completed approve score script 


i^|l^rpen yoi 


<?php 




?> 


The Approve Score script is similar in structure to the Remove Score script 
except that its job is to approve a score. Finish the missing code for the 
Approve Score script, making sure to secure the page and only approve the 
appropriate score based on score data passed through a URL. 

I^dludmg tKc is all 払 at is 

-to scduv-c i\\t Ap 产 ow Stove d usev r\a^t 

ar\d f assy/ovd, bu 七 ’rt mus*t be Aov\t 七 m 七 he 

stvip*t s'mtc i*t v-clics oy\ Kcadcvs. 


<?php 

require_once(*appvars.php 1 ); 
require_once('connectvars.php'); 

參 • • 

if (isset($_POST['submit'])) { 

_P0STC 二二 Yd 




if 


s 


Create an Approve 
Score script that 
handles approving 
a new high score 
(sets the approved 
column to 1)_ 


// Connect to the database 


The IP must 

$dbc = mysqli_connect(DB—HOST, DB—USER, DB—PASSWORD, DB—NAME); * m ovdcv bo davvy 

ou 七七 he affv-oval. 


// Approve the score by setting the approved column in the database 

$query = "UPDATE guitarwars SET approved — I 1/VttERE id — Vid’ 

.. 

mysqli—query($dbc, $query); 

O il. - 

Co^livrw -the app\roval y/iih 


mysqli close($dbc); 


Scttm^ approved Co\ 
-to I apfv-ovcs stove 


"the usev- by -the 

厂 approved sdovc Bv\d name. 

// Confirm success with the user 

echo W\^\\ sdo\rc o( 1 • fsdov-c - 1 (or 1 - 1 v/ds sud^css-fully approved ^ 


else 


?> 


ec h 0 ^lass— w c\r\ro\r W >So\r\ry, v/ds d pvoblcm *thc store•</^> ' } 

} I 仏 -to v-cvcal wb a sure 6armo 七 

be 3fpv"ovcd> similav" *to V^oy/ Wb 

sdv-ip*b v-c\>ov*t cv-v-ov-s. 

">&lt;&lt; Back to admin page</a></p>'; 

- Provide a Imk badk -to -the 

Adrw'm pajc -foir casicv- ^avi^aiior). 


\rs 


echo ' <p><a href: 
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Dumb Quest? 


9ns 


Why isn’t it necessary to pass along the screen shot 
filename when approving a score? 


It seems kind of cryptic to use 0 and 1 in the approved 
column. Are there other ways to represent this information? 


Because the process of approving a high score only requires 
enough information to look up a score row and then approve it. This 
means you really only need enough data to hone in on a particular 
row. The date, name, and score are enough to find a particular row 
and set its approved column to 1. 


Yes. The MySQL ENUM data type, which stands for 
“enumerated,” allows you to create a column with a restricted list of 
possible values. So instead of adding the approved column as 
a TINYINT that is intended to be 0 or 1, you could add it as an 
ENUM that can only have values of 'yes' and ' no ', like this: 



ALTER TABLE guitarwars 

ADD COLUMN approved ENUM('yes', 'no ’） 


The score data used to approve a score in the Approve Score script is passed 
through "Approve” links that are generated in the Admin script. Finish the 
missing code in the Admin script so that it generates these links. 


// Loop through the array of score data, formatting it as HTML 
echo * <table>'; 

echo ' <tr><th>Name</thxth>Date</thxth>Score</thxth>Action</th></tr> ' ; 
while ($row = mysqli—fetch—array($data)) { 

// Display the score data 

echo * <tr class="scorerow"><td><strong> * . $row [ ' name ' ] . ' </strongx/td> '; 

echo '<td>' . $row['date'] . '</td>'; 

echo '<td>' . $row['score'] . '</td>'; 

echo '<td><a href="removescore.php?id=' . $row['id 1 ] . , &amp;date= , . $row['date'] 

'&amp;name =' . $row [ 1 name'] . '&amp;score= * . $row[* score']. 

'&amp;screenshot= 1 . $row[▼screenshot▼] . 1 ">Remove</a>'; 

if (.) { 

echo 


echo ' </tdx/tr> 

} 

echo '</table>'; 


O^ly unap^ovcd stores 
should v^avc w ~\>rovc w Uk. 


you are here ► 
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generating approve links 


(^Jterpen your pencil 

Solution 


The score data used to approve a score in the Approve Score script is passed 
through "Approve” links that are generated in the Admin script. Finish the 
missing code in the Admin script so that it generates these links. 


-row['name' 


'</strongx/td> 


// Loop through the array of score data, formatting it as HTML 
echo '<table>'; 

echo ' <tr><th>Name</thxth>Date</thxth>Score</thxth>Action</th></tr> 
while ($row = mysqli—fetch—array($data)) { 

// Display the score data 
echo '<tr class= M scorerow"><td><strong>' 
echo ▼<td> , . $row[ ' date'] . '</td>'; 

echo ▼<td> , . $row['score'] . 1 </td>'; 

echo '<td><a href= M removescore.php?id=' 

'&amp;name= 1 . $row['name'] . '&amp;score 

* &amp;screenshot= * . $row[* screenshot']. 

if ( .t 1 ? 1 .^ ^ — 

echo 1 / <a 二 ’ • f\rowC 1 idl , ] • iampdate 二 ’ .f\rowC i da*tc , 3 • 

• froviCy\Bmc3 - 二 ’ • jro^Cstore - 匕 \rcc 的 sho 七二 ’- 

- 1 >AppV-OVC</ S>j 


$row['id *] . '&amp;date 

.$row['score' 
M >Remove</a>'; 


$row [’ date'] 


Chcdk {jo sec i-P ihc sdo\re is 
u^app\rovcd bc-fo\rc gc^cvat'mg 
七 he w App 浐 ove" Imk. 



echo ' </tdx/tr> 


echo '</table> 



— 払 c Irnk 

so date, 

store, 扣 dl street sVio*t “ay 

are passed m i\\t WRU 


The “Approve” I mk "ties 

the Adrwih page -to the 
Affv-ovc Sto\rc page. 


MuHiur^.rs. .^ppn^. a 


Lrm 

iw 

■ ' ' i：；dM - m Hirfi Srt** 



Modify the Admin 
page to include ai 
“App rove ，，link for 
scores that have 
yet to be approvec 
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Unapproved scores aren't worthy 

All the infrastructure is now in place for the moderation feature in the 
Guitar Wars high score application. All that’s missing is the final step, 
which is altering the main page to only show approved scores. This 
involves tweaking the SQL SELECT query so that it only plucks out scores 
whose approved column is set to 1 (approved). This is accomplished 
with a WHERE statement. 


Use WHERE to 

select rows Lased 
on tke value ol a 
certain column. 


SELECT * FROM guitarwars 
WHERE approved = 1 
ORDER BY score DESC, date ASC 

The addition of the WHERE statement to this query eliminates any scores 
that haven’t been approved, which includes all new scores. This gives the 
moderator a chance to look them over and decide whether they should be 
removed or made visible to the public (approved). 


|-f 七 k approved toliAwm is sc*t 

-to I, 

七 he stov-c be displayed- 


2008-05-01 21:14:56 
2008-05-01 21:15:17 


2008-05-02 14:02:54 


2008-05-02 20:32:54 
2008-05-02 20:36:38 


Leddy Gee 
^^T-Bone Taylor 


308710 

354190 


leddysscore.gif 

tbonesscore.gif 


Ethel Heckel 500000 ethelsscore.g 


biffsscore.gif 

pezsscore.gif 


BiffJeck 
Pez Law 


314340 

322710 




Ohly approved 
shoves show up 
oh the rwelih 
(mdex php) how. 


Change the query on 
the main page to only 
show appo>ved scores. 
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test drive approvescore.php 




Tesr DriVq 


Create the Approve script and rework the rest of the Guitar Wars 
application to use it. 

Using a MySQL tool, issue the ALTER query to add the new approved column to the 
guitarwars table. Then change the INSERT query in the adds core • php script to insert 
a 0 in the approved column for new rows of data. 

Now create a new text file called approvescore . php, and enter the code for the Approve 
Score script into it. Then modify the admin . php script to include an “Approve” link for high 
scores that have yet to be approved. And finally, change the SELECT query in index . php to 
only show approved scores. 

Upload all of the scripts to your web server, and open the main Guitar Wars page in your web 
browser. Take note of the scores that are visible, and then open the Admin page. Click one of 
the “Approve” links and continue along to approve the score. Then go back to the main page to 
see if the score appears. 



aa™ ■mB swn-r 
HW&Of-Oi S^mrnH- 


^ n 




Tam ISnSid 


WSKCuTO 

ZI ： MJHSJ0fl7l0g EB E =£ 

3BMMI 2Ct3l:233<32foaQ 




provide aUtss bo the 
Approve Stove fay ； 
y/ilCVC mdividual stores 
c ^ y \ be apfv-ovcd- 


] 咖如伽聊咖 isu== ㈣ 

T-BC« 屋 31:13:1 ? w 150 

i2JViy AfCTmr N 

- - ’ 

TV MV/ w Appv-ovc w Imks 
OY\ 七 he fay 


fra Ltii 
腿 J 战 

LwJrfjGw 

H#liU 

■lew Piul Jean 

ThUi I jfliru Mi 

Vwn Wt—ltfWi 
Knoj Lftvjlz 
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Ann 


uui 




Guitar Wars - Aprvrftv^ a Hifth ^rc- 

Are jw sure v,ML» tow ： *r fbfc»in|ibwh KdWT 

3 frS &53 


31 IW 

IKjGe: 

3 k> 0 F+l ilStljO* 


Guitar ^ 


ssu 


^ Y-dfcO ^ 


m C!l Cuitar Wilt - A|ipi4w» ^ High Stdf 




Ufov\ -follov/ir>^ 七 Wou# 
W\i\\ -tKc sdovc afpvoval, 
a do^-f iv-matio^ message 
is displayed- 




hi 呂 h MrDev uJ J321〗y lw Fez Ljiw wua iuccc^JuU^ appra-ved 
<< Back to jidmLn omc 


J\ simple -form \rc<\u 士 CS a 

bc-fov-c actually 

a^fv-ov'm^ 七 he stove- 




访 jii - Hgi Icpri-k 






354190 

^uw; T-BrnWTiykK 
dkS 0 *) 5 ^- 0 i 3 ! ： i 5 '-!? 



£cor« : 
BSMJilD 


322710 

I ?Sa£K ； Pei Law 


i^MiKL ajiawu ahWJR 


TKc hcwly approved 

父 。代 how appear oh the 

州 am ^ui-tav lVav-s pay. 


Guitar 

Wars ： 


Hab «3 

PEILJLU 

Scot* : 
3d211B 



314340 

Tiuut! BLTf Fecie 
DaCraWK^^S)：!?^ 


fell •咖 J 
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ethel strikes again 


The million-pomt hack 

The moderated version of Guitar Wars represents a significant security 
improvement, but it’s far from bulletproof. It seems our wily infiltrator has 
managed to find another weakness in the high score system and somehow sneak 
her high scores past the moderator. Ethel must be stopped, permanently, in 
order to restore trust throughout the Guitar Wars universe. 



car^i but ^loa-t ovcv 
system yc*t a^ m， 


Nunc Ei^icL Hcctc] 

丁 i • . , Ua »： 30DIHJ5-UJ L4 ： MS：H 

I nis is pmcdiscly 
the kihd o-p high 

s^o\rc the rwodev-a-tov 
would’ve s-topped 
dead ih its tira^ks... 

yci ihe\re it is/ 


1000000 




Score: 1000000 


Guitar ^ 


EtW^Wcck 

lo^oooo 


Gui tar 


111 p 
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securing your application 


Evcrythlwg iw moderation." ? 


Even though the moderator knows without a doubt that he never approved 
Ethel’s high score submission, it nevertheless is there in plain view with 
the approved column set to 1. We know the Add Score script sets the 
approved column to 0 for new high scores because we just modified the 
INSERT query in that script. Something just doesn’t add up! 


How is that possible? I 
know I never approved that 
score. A million points!? 


O 


0 


TV^c 今 urtav* lA/av-s 
modcv-a-tov- 
ou*b v/V)3*t 



date 

2008-05-01 20:36:07 
2008-05-01 20:36:45 
2008-05-01 20:37:02 
2008-05-01 20:37:23 
2008-05-01 20:37:40 
2008-05-01 20:38:00 
2008-05-01 20:38:23 
2008-05-01 21:14:56 
2008-05-01 21:15:17 
2008-05-02 20:32:54 
.2008-05-02 20:36:38 


name 

Belita Chevy 
J acob Scor cherson 
Nevil Johansson 
Paco Jastorius 
Phiz Lairston 
Kenny Lavitz 
Jean Paul Jones 
Leddy Gee 
T-Bone Taylor 
Biff Jeck 
Pez Law 


2008-05-05 14:58:59 Ethel Heckel 


score 

282470 
389740 
98430 
127650 
186580 
64930 
243260 
308710 
354190 
314340 
322710 


screenshot 

belitasscore.gif 
jacobsscore.gif 
nevilsscore.gif 
pacosscore.gif 
phizsscore.gif 
kennysscore.gif 
jeanpaulsscore.gif 
leddysscore.gif 
tbonesscore.gif 
biffsscore.gif 
pezsscore.gif 


1000000 ethelsscore2.g 






How do you think Ethers bogus post got past the moderator? 


TVis sCorc v/as y\CVC\r 
appvovcd by 

modcv-a*to\r yei i*bs 
appvovcd is 

sei "to I, vcsultm^ *m 
i-b be'm^ displayed- 
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try out ethers hack 





As it turns out, Ethel’s million-point hack had nothing to do with the 
Approve Score form. Her mischief was completely isolated to the 
Add Score form. Below is the exact form data that Ethel entered into 
the Add Score form to carry out her hack. Enter the same form data 
in your own form and add the score. What do you think is going on? 


po^-t -fov-yt 



This be 扣丫 与 IP or JPB^ 一 

-file -that is u^dev- VI 


mow 

I 如 I 抓 

j_r 」 


ethelsscore2.gif 
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securing your application 


How exactly did she do it? 

In order to understand what’s happening with this clever form attack, let’s 
trace the flow of form data as it travels through the Add Score script. 




% 

s 


■f* H r&urHIoliScqfi 


0 ° 



c^-tc\rcd hc\r high 
sdovc … plus s or 

othc\r s-t\ra^JC siu^/ 


$ POST['score']; 


Tiic unusual toy>*tc^*U of 
*tKc Stove -fov-m -f ield 
yt shoved m 七 he fstove 
variable ； wKi^K c^ds up 
rbs v/ay div*c£.*tly 
*rn*to *tKc INSERT <\uc\ry. 


INSERT INTO guitarwars 
VALUES (0, NOW(), '$name', '$score', 1 $screenshot 1 , 0) 


The Score form field expects a single numeric value, such as 1000000, 
but instead it has several values enclosed in single quotes, separated by 
commas, and then with a strange double-hyphen at the end. Very strange. 

This strange data first gets stored in the $ score variable, after which 
it gets incorporated into the INSERT query. This just results in a 
meaningless score, right? Or is something more sinister taking place here? 


r{^|^rpen your penoi 


Using the exact form data shown on the facing page, write out 
the full Add Score SQL query for the million-point attack. Make 
sure to replace the variables in the query with the actual form 
data. Annotate what you think is happening. 
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how sql injection works 


■ ^Sharpen your pencil 

Solution 


Using the exact form data shown on the facing page, write out 
the full Add Score SQL query for the million-point attack. Make 
sure to replace the variables in the query with the actual form 
data. Annotate what you think is happening. 


INSERT INTO 3u»tav ： y/ay；s 



LUES (O, UOWO, WM, '1000000*, 


Ii3s Somehow IlCV" 

owh yj^s\oy\ o-P the <\ucv-y that 
is supcirscdih^ "the o\ri0ihdl ^ucv~y 



Thafs a weird looking query. The 
screen shot filename appears twice, 
and I doiVt know what to make of that 
double-hyphen... does the query work? 


l c*tiiclssdo\rcZ-5i-f^ O) 

Sih 以 the approved 乙 ol_ 

is las-t m the database 
s-t\ru^tu\rc ; it is beih^ -Pov-^cd 
"to 3 value o( I... appv-oved/ 


o 




Tricking MySQL with comments 


The real culprit in Ethel’s million-point attack is, strangely enough, SQL 
comments. A double-hyphen (--) is used in SQL to comment out the 
remainder of a line of SQL code. You must follow the double¬ 
hyphen with a space for it to work (-- ), but everything after the 
space is ignored. Now take a look at Ethel’s full query with that little 
nugget of wisdom. 


INSERT INTO guitarwars 

VALUES (0, NOW(), 'Ethel Heckel', ' 1000000 ' , 'ethelsscore2.gif', 


Is it making more sense? The comment effectively erased the remaining 
SQL code so that it wouldn’t generate an error, allowing Ethel’s version 
of the query to slip through without a snag. The end result is an instantly 
approved new high score that the moderator never got a chance to catch. 


The — dorwruCht ^duses 
the \rcst of the lihe of 



br\cktd tiic 

•m*to appv-ov'm^ sdovc- 
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securing your application 


The Add Score form was SQL injected 


Ethel’s attack is known as an SQL injection, and involves an 
extremely sneaky trick where form data is used as a means to change 
the fundamental operation of a query. So instead of a form field just 
supplying a piece of information, such as a name or score, it meddles with 
the underlying SQL query itself. In the case of Guitar Wars, Ethel’s SQL 
injection used the Score field as a means of not only providing the score, 
but also the screen shot filename, the approval value, and a comment at 
the end to prevent the original SQL code from generating an error. 


^ H 以脉和町圉响 Tbur Soora 


Guhar Wars * Add Your U 


Form iielcts are 
a security weak 
point lor wet 
applications 
because tkey allow 
users to enter data. 



INSERT INTO guitarf|^rs 
VALUES (0, NOW(), '$name', '$score', '$screenshot', 0) 


theretare no o 

Dumb Questi9ns 




Are there any other kinds of comments in SQL besides -? 

Yes. Another variation on the single-line comment involves the 
use of # instead of but still results in commenting out any SQL 
code to the end of the line following the comment. SQL also supports 
multi-line comments that are similar to PHP’s multi-line comments in 
that you enclose commented code between /* and V. 


Would Ethel’s SQL injection attack have still worked if the 
approved column wasn’t at the end of the table? 

No, and that’s a really important point. This particular 
INSERT query relies on the default ordering of columns in the table. 
Tacking on 1 to the end of the query just happened to work because 
approved is the last column, appearing immediately after the 

screenshot column. 
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preventing sql injection 


Protect your data from SQL iwjectio 似 

The real weakness that SQL injections capitalize on is form fields that 
aren’t validated for dangerous characters. “Dangerous characters’’ are any 
characters that could potentially change the nature of an SQL query, such 
as commas, quotes, or -- comment characters. Even spaces at the end 
of a piece of data can prove harmful. Leading or trailing spaces are easy 
enough to eliminate with the built-in PHP function trim () — just run all 
form data through the trim () function before using it in an SQL query. 


$name = trim($_POST['name']); 
$score = trim($_POST['score '])； 


丁 he tHruO -Puhdtioh yts 
Hd o( leading ahd 
I spaces ih "this -Po\nrn data. 


$screenshot 


=trim($ FILES[’screenshot*][’name 1 ]);, 
一 y 


But leading and trailing spaces aren’t the whole problem. You still have 
the commas, quotes, comment characters, and on, and on. So in addition 
to trimming form fields of extra spaces, we also need a way to find and 
render harmless other problematic characters. PHP comes to the rescue 
with another built-in function, mysqli_real_escape_string (), 
which escapes potentially dangerous characters so that they can’t adversely 
affect how a query executes. These characters can still appear as data in 
form fields, they just won’t interfere with queries. 

Putting the trim () and mysqli_real_escape_string () functions 
together provide a solid line of defense against SQL injections. 


SQL injections can 
te prevented ty 
properly processing 
lorm data. 


T\\t 你 ysc^jreal—esGfe 一 

dor>vc\rb 

tiiav-at*tcvs m*to esdaped 
-fov^a-t > nov \{, adversely 
a-f-fed-t S 公 L «\ucvics. 



$name = mysqli 一 real—escape—string($dbc, trim($_POST[* name'])); 

$score = mysqli—real—escape—string($dbc, trim($_POST['score ']))； 

$screenshot = mysqli real escape string($dbc, trim($ FILES[’screenshot 1 ] ['name *]))； 



Processing the three Guitar Wars form fields with the trim () and 
mysqli_real_escape_string () functions greatly reduces the 
chances of another SQL injection attack. But these two functions aren’t 
enough — maybe there’s a way to make the query itself less vulnerable... 


mys—ijreal 一仪 afe 一 is 

^sidered a database 
is v/Wy i 七 \rc<\uivcs you *to pass i*t a 
dd'bdbdse 於 va\riaklc> like 

oY\t used 


336 


Chapter 6 









securing your application 


A safer INSERT (with parameters) 


Aside from exploiting weak form field protection, Ethel’s SQL injection also 
relied on the fact that the approved column followed the screenshot 
column in the database structure. That’s how she was able to get away with 
just adding 1 onto the end of INSERT and have it go into the approved 
column. The problem is that the INSERT query is structured in such a way 
that it has to insert data into all columns, which adds unnecessary risk. 


Ideally ； should^t be -the 

^_id BY\d apfv-ovcd dolunrms srndc 

dould jus 七 have default values. 


INSERT guitarwars 

VALUES (0, NOW(), '$name 


'$score ', ' $screenshot ', 



An INSERT cjuery 

can l>e written so 
tkat it nails down 
exactly wkat values 
go in wkat columns. 


When data is inserted into a table like this, the order of the data must line 
up with the order of the columns in the table structure. So the fifth piece of 
data will go into the screenshot column because it’s the fifth column in 
the table. But it really isn’t necessary to explicitly insert the id or approved 
columns since id is auto-incremented and approved should always be 0. 

A better approach is to focus on inserting only the data explicitly required of 
a new high score. The id and approved columns can then be allowed to 
default to AUTO_INCREMENT and 0, respectively. 

We need a restructured INSERT query that expects a list of columns prior to 
the list of data, with each matching one-to-one. This eliminates the risk of the 
approved column being set — it’s no longer part of the query. If this kind of 
query looks familiar, it’s because you’ve used it several times in other examples. 

INSERT INTO guitarwars (date, name, score, screenshot) 

VALUES (NOW () , ' $name ' , ' $score '' $screenshot') 


be 

msevtcd m*to 


affv-oved tolumr\ 
bcdausc i*t listed 

as pav*t o( ^uevy- 


The id dolumy> be ou*t 
s'mdc i*t au*fco— 


This version of the INSERT query spells out exactly 
which column each piece of data is to be stored in, 
allowing you to insert data without having to worry about 
the underlying table structure. In fact, it’s considered 
better coding style to use this kind of INSERT query so 
that data is inserted exactly where you intend it to go, as 
opposed to relying on the structural layout of the table. 



you are here ► 


337 





















the DEFAULT command 


Hang on a second. This is the first 
Ive heard of default values in MySQL 
tables. Is that really possible? 


O 



Not only is it possible, but it’s a very good idea to 
specify DEFAULT column values whenever possible. 

The SQL DEFAULT command is what allows you to specify a default 
value for a column. If a column has a default value, you can forego setting 
it in an INSERT query and relax in the confidence of knowing that it will 
automatically take on the default value. This is perfect for the approved 
column in the guitarwars table. Now we just need to modify the table 
one more time to set the default value for approved to 0 (unapproved). 


the approved 乙 olumh already cxis-ts, ih 

this Alter table s-ta-tcmch-t wc have to use 

MODIFY COLUM/V instead o( ADD COLUM/V. 


ALTER TABLE guitarwars 
MODIFY COLUMN approved TINYINT 


DEFAULT 0 


r d 

peFAULT results *m a ?? vovcd 

d 辦 k 岣扣 W 如 & d 

a value 0 unless INSERT 
W sets 


Y^>u still have -fco spe^i-fy -the 

type o-P the dolurwh—just 

suv*c s Soiimc ds whch you 
added -the dolu^h. 


With the approved column now altered to take on a default value, the 
new and improved INSERT query in the Add Score script can insert 
high scores without even mentioning the approved column. This is 
good design since there’s no need to explicitly insert a value that can be 
defaulted, and it adds a small extra degree of security by not exposing the 
approved column to a potential attack. 
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Form validation caw wcvcr be too smart 

One last step in minimizing the risks of SQL injection attacks involves 
the form validation in the Add Score script. Before checking to see if the 
screen shot file type or size is within the application-defined limits, the 
three Add Score form fields are checked to make sure they aren’t empty. 


if (!empty($name) && !empty($score) && !empty($screenshot)) { 


There is nothing wrong with this code as-is, but securing an application 
is often about going above and beyond the call of duty. Since the Score 
field expects a number, it makes sense to not just check for a non-empty 
value but for a numeric value. The PHP is_numeric () function 
does just that by returning true if a value passed to it is a number, or 
false otherwise. It’s consistently doing the little things, like checking for a 
number when you’re expecting a number, that will ultimately make your 
application as secure as possible from data attacks. 


i-f s-tatemcht -fco 

suire all ^ 

-riclds avc hoh—emp-ty. 


is numeric(465730) 





is numeric(0) 


is numeric( 1 one million! 




Tv-uc ov- ^alsc 
oy\ ov- 

usev- entev-s a 
m*to S^ov-c -f ield- 


is_numeric ($score) 



E%eftct$e 


Wkenever possitle, insist on iorm ctata 
being in tke lormat you’ve reejuestect. 


Rewrite the Add Score form validation if statement to use the isnumeric () function so that 
only a numeric score is allowed. 
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test drive the new addscore.php 



Rewrite the Add Score form validation if statement to use the isnumeric () function so that 
only a numeric score is allowed. 




Tqst DriVq 


Beef up the handling of form data in the Add Score script. 

Tweak the assignment of form data to variables in the adds core • php script so that the 
trim () and mysqli_real_escape—string () functions are used to clean up the form 
data. Then change the INSERT query so that it specifies both the column names and values, 
eliminating the need to provide values for the id and approved columns. Also change the 
if statement that validates the form fields so that it checks to make sure the score is numeric. 

Finally, use a MySQL tool to run the ALTER query that defaults the approved column to 0. 

Upload the new Add Score script to your web server, navigate to it in a web browser, and 
then try the same SQL injection attack again. 


Now the Sdo\rc 
-Pov-m -field will ov\\y 
a 匕匕吓七 ^urwbcv-s 
and ho-thmg else. 


内 f ) 。 Caftf WftHigh 

guitar Wars. Add Your High Sctire 

Pkaac rnirr all uf tbr bifomutkm !□ add >uur swre. 


Sco re ： 


r. ■MheiSMortE.i 


filWVI! fNabar F -r no-i f 


( ， M4' 


SuV-C) *tWlS tXYOX mCSSajC 

tould be a b'»*t w>ov-c 


spc6-f it, but \i yts 如 

job y/i*tViout addm^ 

c%*tv-a \oyc bo script 


Fo\rrtn validation is a -fcopi^ that 
\rca^hcs -fa\r beyond database 
se 匕 Ch^ptcv* \0 vevisi-ts -fov*rw 
\y\ mudh rwovc dc'tdil... 
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securing your application 


Cease fire! 


It seems Ethel’s will to interfere with the Guitar Wars high scores has 
finally been broken thanks to the improvements to the application that 
render it immune to SQL injections. The reigning Guitar Wars champion 
has responded by posting a new top score. 





Guitar Wars ， High Scores 


Top Score ： 465730 


465730 

XHIW. |K4b SKSWlKEWfl 
20 US- 05-05 2 J 2 H 537 


Finally! I*m back 
at the top of the 
high score list with 
a jamming new score 




Guitar 

Uars 




Relieved that W\o^ sdo^cs 
扣 C how sa-fc -firom outside 
^ic\r(c\rcv\U, Ja^ob posts 
a hew "top sc,orc tha-t Will 
be "tough -to beat. 


Egad! Foiled again. Maybe 
ifs time I just learned 
how to play virtual guitar. 


Res 吵 ed v-at^cv 

jo'm -bv^ern *biiair\ to\r\tmuC *to 

lose 

-f i^uv"cs i*b w\i^*b be tiw'C *to 
become a ^u»tav Wiawior. 
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php&mysql toolbox 



Your PHP 备 MySQL Toolbox 

In addition to taking the Guitar Wars 
high score application to a new 
level ， you’ve acquired several new tools 
and techniques. Let’s revisit the most 
important ones. 


header () 

This buil*b-*m PttP Wti OY\ IS UScd 
-fco d licadcv* -fvom sevvev 
-to {\\t bvov/sev, dlloy/*»^ you b> 
^CV*^ov*w\ "tdsks S\aCM 3s v*cdiV"C6*ti^^ 
-the pay, a dcv*ta*m 

Cov\itY\i -type, ov ^av-vym^ out 

HTTP au*bhc^*bi^a*bioir\. 


USCV* 


$—SERVER 

^ h 9 0 仏饮 仏 ih 3 s, this built 
KftP su P^ 9 lobal stoics ihc 
广 e ahd password Chtc^cd by 
the usc^ whch attemp 仏 3 ^ 

adless a page vc^uiHhj HTTP 
au-thchtidatioh. /ou dah dhcdk 
thc ' c %aihs£ expend values io 
P^9« that ,eed h> be 

seduced. 


is_numeric () 
This 


ih PUP -fuhdtioh dhcdks 

b> see i-f a value is a hu^bev-. It 
is usc-ful -fov- *to see i-f d 

humev-id -forint -field actually holds 
d hurwc\rid value- 


一 () ， jsto 


exit () 

TWis buil*t-*m PHP ^ti\OYs causes 
a PrtP sdv-*i\>*t to sto\> *immcd*ia*tclY* 

a sdvi ? 七 cr>dour>*tcvs *tV>C 
-fur>6*t*ior>, r\o additional 
PrtP Code is C%c6u*tcd ar>d r>o 
additional HT/V1L todc is adWered 

*bo *t^C WoY/SCV*. 


ih 


DEFAULT value 


This S^L s-bicmcht es-bblishes 
de-Pauli value c^f a dolumh ih a 
■wblc. /+ a hCW ^. ow is added 3hd 

■the ^olumh ish't set it will *bkc 

° h the default value. 


escape 

—a 如七士 

t 二 :“ 南;：， 
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securing your application 


tturhSh Alodewtioh 

Evcirythihg i h modcvatioh/ /h -this 

£hat a 一如 b— 

•s ，十 b«U me J de^hse 

，h ld ^Y^ a.d 

l^ ahied bcihj posted 

上 y o*thm. Auioi^aicd seduvi-ty 

t^hhi^ues still — 0 七吒 
but its ha^rd {o \>cai a U%, 
bircathih 3 pevsoh with a b^-aih/ 


HTTP A^Kcntida-Goh — 

A simple Y/cb seduv-ity -tc^hhi^uc 
*tha*t lii^rb addess *to a web pa^c 
ov* sd\ri^*t us'm^ d usev- 
passwovd- 的 0 七 *m-tcy\dicd 

-fov* highly sensitive seduvrty 

a^lida-biohs, HTTP auth ⑶ *ti 6 atioh 
c ^ y \ be har\dy -Pov- <\uidkly add'm^ 
a dc^vcc seduv-'rty *to a web 
application. 


Cdu^/Valuc 公叫 

A ¥ d i_t 
IwHd ⑽ aWcs 

avc 6 avc-full 7 waUW 尸 

otV.cv, as closed b>rt\f^ 
加 oW oUk Ma 

sVudWal ovdev ok tht 
6 o lumy>s *m tV>C table- 


S6^L I 吻 et 七伽 

A sedurrty WtacM *tV>a*t Evolves 

evil-doer somcKoy/ 6om^\romis*m^ d 
S6^L* ^uCV'Y *bo u^v/3V"V3v>"bcd 
addess *to 3 da*b 3 l>asc. Most S($L 
irjjcd*tio^s involve *tv"i6km^ 3 >wcb 
-fov-m *m*bo ?assi% alo^ da^^cv-ous 

da 七 a div^d'tl'/ *to a dy^amidally 

do 灼 s 七 rudtedl <\uc\ry. So -fo\rm 
Vdlidd'kio^ is o*f 七⑶ "bV>C solution- 




/ Fo ^ ValidaiioyT 

Tu k, " 3 a " ^ 

r w 崎：： 

〔P a W s 
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7 building personali^ecl Web apps 




Remember me? 



No one likes to be forgotten, especially users of web 

applications. If an application has any sense of “membership,” meaning that users 
somehow interact with the application in a personal way, then the application needs to 
remember the users. You’d hate to have to reintroduce yourself to your family every time 
you walk through the door at home. You don’t have to because they have this wonderful 
thing called memory. But web applications don’t remember people automatically — it’s up 
to a savvy web developer to use the tools at their disposal (PHP and MySQL, maybe?) to 
build personalized web apps that can actually remember users. 


this is a new chapter 







a good mismatch is hard to find 


They say opposites attract 


It’s an age-old story: boy meets girl, girl thinks boy is completely nuts, boy 
thinks girl has issues, but their differences become the attraction, and 
they end up living happily ever after. This story drives the innovative new 
dating site, Mis-match.net. Mismatch takes the “opposites attract” theory 
to heart by mismatching people based on their differences. 

Problem is, Mismatch has yet to get off the ground and is in dire need of 
a web developer to finish building the system. That’s where you come in. 
Millions of lonely hearts are anxiously awaiting your completion of the 
application... don’t let them down! 



O 


Sidney loves reality TV, 
yo^a, dnd suslii, is 
-fov d sut^css-ful 



I can’t wait to 
find my perfect 
mismatch. 


Johan Nettles 
Male 

1981-11-03 
Athens, GA 


Personal web applications 
thrive on personal information, 
which requires users to be 
able to access an application 
on a personal level. 


、 


N 




Sidney Kelsow 
Female 
1984-07-19 
Tempe, AZ 



Johan loves J>\r<^fcssioK>«ll 

av\d is edited dboui 
3iy\)ov\t wholl \rcply -to him. 


Mismatch users need to be able to interact with the site on a personal 
level. For one thing, this means they need personal profiles where 
they enter information about themselves that they can share with 
other Mismatch users, such as their gender, birthdate, and location. 
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building personalized web apps 


Mismatch is all about personal data 

So Mismatch is all about establishing connections through personal data. 
These connections must take place within a community of users, each 
of whom is able to interact with the site and manage their own personal 
data. A database called mismatch_user is used to keep up with 
Mismatch users and store their personal information. 


TVi'is is 

/l/l'ismaU^ database. 




mismatch user 




join date 

first_name 

last_name 

gender 

birthdate 

2008-04-17 

Sidney 

Kelsow 

F 

1984-07-19 

09:43:11 



— 


2008-05-23^ 

12:24:06 

Johan 

Nettles 

"""M"""" 

1981-11-03 


city 


state 


picture 


l/Vithih the /Wisrwatdh 
database, the 

你一 USCV* "tolblc 

s*to\rCS usc\rs ahd theiv- 
pcvsohal p\ro^ile daia. 


Tempe AZ sidneypic.jpg 


Athens GA johanpic.jpg 





Miinuicti - Edit PmfllP 


Mismatch ■ View Fraflle 


First ubidw: Sidney 
L&ii MBfif j Ktisow 
faffrdErz Fcrnnk 
BirUuLuru: 

Locdtkiu: Ttrrsfw,. AZ 


Pfcturif ： 


Would JiTQil UJoc W edit vair panfik- 


Mismatch ■ Edil Pmlile 

■PcrecnaJ lnJoJinanon , 

Firy namt: Mtw*# 

LvA hwik-. 

ftfflSIt • I 



rovj o( 

misma^^uscv- 

•tabic doyrta’ms 

Thddi 七扣 d r so}nal d , aia 

d p.i • A*ov a sm<\k usev. 

r\rcHrilc pages heed 

■fco khow whose 

f\ro-Pilc -to 9 Ucss. 


Sidney Kelsow 
Female 
1984 - 07-19 
Tempe, AZ 



In addition to viewing a user profile, Mismatch users can 
edit their own personal profiles using the Edit Profile page. 
But there’s a problem in that the application needs to know 
which user’s profile to edit. The Edit Profile page somehow 
needs to keep track of the user who is accessing the page. 





How can Mismatch customize 
the Edit Profile page for each 
different user? 
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adding log-ins to mismatch 


Mismatch needs user log-ins 


The solution to the Mismatch personal data access problem involves user 
log-ins, meaning that users need to be able to log into the application. 
This gives Mismatch the ability to provide access to information that 
is custom-tailored to each different user. For example, a logged-in user 
would only have the ability to edit their own profile data, although they 
might also be able to view other users’ profiles. User log-ins provide the 
key to personalization for the Mismatch application. 

A user log-in typically involves two pieces of information, a username 
and a password. 


User log[-ins 
allow wet 
applications to 
get personal 
witk users* 


Username 


The job of the username is to provide each 
user with a unique name that can be used to 
identify the user within the system. Users can 
potentially access and otherwise communicate 
with each other through their usernames. 


Sidneyk 

jnettles ' 

Wsc\rhamcs typically dohsis-t 
alphahur»c\r'^ 

^ up -to -the usev-. 


Password 


The password is responsible for providing 
a degree of security when logging in users, 
which helps to safeguard their personal data. 
To log in, a user must enter both a username 
and password. 

★★★★★★ 零、 
★★★★★★★★ i 


^ Passv/ovds av-c wbremely 

sensitive pieces <Jc 
should be made visible 

v/rtWm a 於 application evert 

•mside i\\t database. 


A username and password allows a user to log in to the Mismatch 
application and access personal data, such as editing their profile. 


Tk Edit Profile fay 
mdi^3*tcs 七 



The usc\r s uscv-harwc 
yassyNord a\rc all that is 
<rc<\ui\rcd -to let -the afpliddiioh 
khow who they av-c. 



3 usev* Io0s ' 

1 〜 the appli^atioh is 

able "to \rchr»crhbcv- the 
⑽ dr 3hd plrovidc d 
pcmsohaliicd cxpcHch^c. 


BOO 



usev is lo^cd m- 

Mismatch - Edii 


are logged in as Sidneyk. 

Mismatch - Edit Profile 

-Personal Information 

First name: 

Last name: 

Gander: 
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building personalized web apps 


Come up with a user log - m gameplan 

Adding user log-in support to Mismatch is no small feat, and it’s important 
to work out exactly what is involved before writing code and running 
database queries. We know there is an existing table that stores users, so 
the first thing is to alter it to store log-in data. We’ll also need a way for 
users to enter their log-in data, and this somehow needs to integrate with 
the rest of the Mismatch application so that pages such as the Edit Profile 
page are only accessible after a successful log-in. Here are the log-in 
development steps we’ve worked out so far: 


6 


Use ALTER to add username and 
password columns to the table. 

The database needs new columns for storing the 
log-in data for each user. This consists of a username 
and password. 


厂 

password 

1 _wernanie 



pm 



J 


t^euserTe^^^ 

password. wsername and 

ultimately protect 

to Personalized pages so thaUh ^ aCCeSS 
without a valid log-in. e Y can t be viewed 


1 4 


Connect the Log-In script 
to the rest of the Mismatch 
application. 

The Edit Profile and View Profile pages 
of the Mismatch application should only 
be accessible to logged in users. So we 
need to make sure users log in via the 
Log In script before being allowed to 
access these pages. 
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mismatch setup 



Before going any further, take a moment to tinker with the Mismatch 
application and get a feel for how it works. 

Download all of the code for the Mismatch application from the Head First Labs web site 
at www. headfirst labs • com/boo ks/hfphp. Post all of the code to your web server 
except for the . sql files, which contain SQL statements that build the necessary Mismatch 
tables. Make sure to run the statement in each of the . sql files in a MySQL tool so that you 
have the initial Mismatch tables to get started with. 

When all that’s done, navigate to the index . php page in your web browser, and check out 
the application. Keep in mind that the View Profile and Edit Profile pages are initially broken 
since they are entirely dependent upon user log-ins, which we’re in the midst of building. 



These two lihks 
lead ih*fco the 
pc\rsohalizjcd foiv-ts 
o\ the dffli^diioh. 


A MiiruacJi* PlbprF«rH3^g^_M 思化 

Mbiwaldj ■ WIinT 

• r ： AiiiP^£k 



The Mismatch pdje allows 
you -to see the av\d pi^tuv-c 
the btes-t usevs, but ⑽七 rytudh 
else without bemj lojjed \y\. 


DoWnloclcI It! 

The complete source code for the Mismatch 
application is available for download from the 
Head First Labs web site: 

www.headfirstlabs.com/books/hfphp 



350 


Chapter 7 









building personalized web apps 


Preppmg the database for log-ins 


OK, back to the construction. The mismatch_user table already does 
a good job of holding profile information for each user, but it’s lacking 
when it comes to user log-in information. More specifically, the table is 
missing columns for storing a username and password for each user. 



"The — usc\r 

^olurnhS \oY usev^h^rrte 
3hd p3ssy/o\rd \y\ o\rdcV" -fco 
usc\r log-ih data. 



Dumb Questi 9 ns 


Username and password data both consist of pure text, so it’s 
possible to use the familiar VARCHAR MySQL data type for the 
new username and password columns. However, unlike some 
other user profile data, the username and password shouldn’t ever 
be allowed to remain empty (NULL). 


TVic a^d fassy/ord 

6olumr\S simple 

data but should 

be allov/cd *to 30 


rpen your pencil 


people v/ould *to 
*tvy 3r>d d passy/ovd 

\oY\^tr *tKav> l^> characiers! 




Why can’t you just use user id instead 
of username for uniquely identifying a user? 

You can if you want. In fact, the purpose of 
user_id is to provide an efficient means of 
uniquely identifying user rows. However, numeric 
IDs tend to be difficult to remember, and users really 
like being able to make up their own usernames for 
accessing personalized web applications. So it’s 
more of a usability decision to allow Johan to be able 
to log in as u jnettles" instead of “11”. No one wants to 
be relegated to just being a number! 



Finish writing an SQL statement to add the username and 
password columns to the table positioned as shown, with 
username able to hold 32 characters, password able to hold 
16 characters, and neither of them allowing NULL data. 
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sharpen your pencil solution 

- %^ 6 rpen your pendl 

Solution 


Finish writing an SQL statement to add the username and 
password columns to the table positioned as shown, with 
username able to hold 32 characters, password able to hold 
16 characters, and neither of them allowing NULL data. 


AL-TtR TABLE is used *to add 
y\^ toluwms 七 0 扣 七 3ble- 

L ALTER TABLE misma-Uh user AW VARCWARC^ MOT NULL AFTER user id, 

几 : AFTER siaiemetr\i doh-tv-ols v/he^e 

… the -table hew dolumhs avc added. 


added *fi\rst, so it’s 
"to \rc-Pcv*Ch^C it hc\rc- 


userjd 

wtntaM* 

paiiwonl 



last_name 

gMtder 

MrtMal* 

dly 

Hal* 

phiM* 






匕 







Use ALTER to add username and 
password columns to the table. 


The position o-f dolumirts m 3 tclblc docs^^-t hC^css^vily 

dltiioujh i-t scv*vc Sr\ o\r^^iz^-tiohdl purpose 
m -tcvms o( posiiio^mg the most impo\rtaht 匕 olurrms -fiv-s-fc. 
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Surely you don’t just store a password in 
the database as-is... don’t you also need 
to encrypt a password before storing it? 



Good point... passwords require encryption. 

Encryption in Mismatch involves converting a password into 
an unrecognizable format when stored in the database. Any 
application with user log-in support must encrypt passwords so 
that users can feel confident that their passwords are safe and 
secure. Exposing a user’s password even within the database itself 
is not acceptable. So we need a means of encrypting a password 
before inserting it into the mismatch_user table. Problem is, 
encryption won’t help us much if we don’t have a way for users 
to actually enter a username and password to log in... 





























building personalized web apps 


Cowstructiwg a log - iw user interface 


With the database altered to hold user log-in data, we still need a way for 
users to enter the data and actually log in to the application. This log-in 
user interface needs to consist of text edit fields for the username and 
password, as well as a button for carrying out the log-in. 

TiiC passv/o\rd -f ield is 
pvo*tcd*tcd so 七 ha 七七 he 
^dssv/ovd V"C3d3blc- 




[jhcttlcs 1 

P^sswomd ： \ 来来来氺来來 4 决 \ 



L Lo 3 ^ I 




Ckk 岣从 C U WUo” 

w akcs a^i'^at'on cMtck 

七 V^c uscvyva^c bv\A passY/ovd 
a^a'ms*t database. 


An application log¬ 
in requires a user 
interface lor entering 
tke username and 
password. 


mismatch user 


user id 

username 

password 

••• 

9 

dierdre 

******* 


10 1 

baldpaul 

****** 


11 

jnettles 

******** 


_ - 


|-f *thc uscv-^amc ar>d 
password dhcdk ou*t> the 
usev- is suddcss-pully lo^cd m. 





ft o n ^ 


Mismatch - View P 


ro^ 


You arc logged in as jnetths 




Dumb Qu©sti9ns 

So asterisks aren’t actually stored in the database, right? 

That’s correct. The asterisks displayed in a password form 
field simply provide visual security, preventing someone from 
looking over your shoulder as you enter the password. When the 
form is submitted, the password itself is submitted, not the asterisks. 
That’s why it’s important for the password to be encrypted before 
inserting it into the database. 


o 


If you’re worried about 
how users will be able to 
log in when we haven’t 
assigned them user names 
and passwords yet... don’t 
sweat it. 

We’ll get to creating user names and passwords 
for users in just a bit. For now it’s important to lay 
the groundwork for log-ins, even if we still have 
more tasks ahead before it all comes together. 
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the sha() function 


Ewcrypt passwords with SHAO 

The log-in user interface is pretty straightforward, but we didn’t address 
the need to encrypt the log-in password. MySQL offers a function called 
SHA () that applies an encryption algorithm to a string of text. The 
result is an encrypted string that is exactly 40 hexadecimal characters 
long, regardless of the original password length. So the function actually 
generates a 40-character code that uniquely represents the password. 

Since SHA () is a MySQL function, not a PHP function, you call it as 
part of the query that inserts a password into a table. For example, this 
code inserts a new user into the mismatch_user table, making sure to 
encrypt the password with SHA () along the way. 


Tlie MySQL SHAO 

function encrypts 
a piece ol text 
into a unique 40- 
ckaracter code* 


INSERT INTO mismatch 一 user 

(username, password, join date) VALUES ( ' jnettles 'SHA ( ’ tatlover ' ) , NOW () 


The S_ Wti oy\ f3ssy/ovd m*to B 

^"0-dhav-at*tcv- Kc^adcdimal Code yts s*tov-cd 
\ y \ ^dssy/o\rd dolurwir> 七 he 一七 3 ble. 


The same SHA () function works on the other end of the log-in equation 
by checking to see that the password entered by the user matches up with 
the encrypted password stored in the database. 




This is the cldiual 
passwovd as Ch"tc\rcd ih-fco 
"the pdsswolrd -fovrw -field- 


^ s C\rha^c- (jhc-t-tlcs 


Password ： p 来料料來决 

r^-°9 ~ j 


丁 he pdsswoird 


a 於 passed 

• m -to a ^O-^av-attcv- 


'e511d793f532dbe0e0483538ell977f7b7c33b28 



mismatch user 


user_id 

username 

password 

參 •• 

9 

dierdre 

08447b." 


10 1 

baldpaul 

230dcb... 


n 

jnettles 

【 e511d7 」 . 

• • • 


七 the actual password, w 

stove the c^vyp-ted Code 


ft o o 


Mismatch - View P 





arc 
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building personalized web apps 


Comparing 

拆 crypfing passwords 

Once you’ve encrypted a piece of information, the natural instinct is to 
think in terms of decrypting it at some point. But the SHA () function is 
a one-way encryption with no way back. This is to preserve the security 
of the encrypted data — even if someone hacked into your database and 
stole all the passwords, they wouldn’t be able to decrypt them. So how is it 
possible to log in a user if you can’t decrypt their password? 

You don’t need to know a user’s original password to know if they’ve 
entered the password correctly at log-in. This is because SHA () generates 
the same 40-character code as long as you provide it with the same 
string of text. So you can just encrypt the log-in password entered by 
the user and compare it to the value in the password column of the 
mismatch—user table. This can be accomplished with a single SQL 
query that attempts to select a matching user row based on a password. 


Tlie SHAO 

function provictes 
one-way 
encryption—you 
can’t Jecrypt 


data tkat kas 
teen encrypted. 


SELECT * FROM mismatch—user 

WHERE password = SHA( ' tatlover ') 


丁 his is the password Chtcv-cd 
by -the usc\r ih o\rdc\r "to log ii 


、 Uc SttAO Wtior. *»s tailed kfi 

passy/ov-d SO it 
appear \ y \ misuse- 



Dumb Questi9ns 

What does SHA() stand for? 


This SELECT query selects all rows in the mismatch_user 
table whose password column matches the entered password, 
tatlover ' in this case. Since we’re comparing encrypted versions of 
the password, it isn’t necessary to know the original password. A query 
to actually log in a user would use SHA (), but it would also need to 
SELECT on the user ID, as we see in just a moment. 


The SHA () function stands for Secure 
Hash Algorithm. A “hash” is a programming 
term that refers to a unique, fixed-length string 
that uniquely represents a string of text. In the 
case of SHA (), the hash is the 40-character 
hexadecimal encrypted string of text, which 
uniquely represents the original password. 


Making room for the encrypted password 

The SHA () function presents a problem for Mismatch since encrypted 
passwords end up being 40 characters long, but our newly created 
password column is only 16 characters long. An ALTER is in order to 
expand the password column for storing encrypted passwords. 

ALTER TABLE mismatch—user 

CHANGE password password VARCHAR(40) NOT NULL 

y 

丁 he siz^ <Jc passv/ovd dolum^ is 

-to 午 O so i\\^i cr>dvYf*tcd passy/ovds Will -fit 


Are there any other ways to encrypt 
passwords? 

Yes. MySQL offers another function similar 
to SHA () called MD5 () that carries out 
a similar type of encryption. But the SHA () 
algorithm is considered a little more secure than 
MD5 () ， so it’s better to use SHA () instead. 
PHP also offers equivalent functions (shal () 
and md5 ()) if you need to do any encryption in 
PHP code, as opposed to within an SQL query. 
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Tesr DriVq 


Add the username and password columns to the 
mismatch 一 user table, and then try them out. 

Using a MySQL tool, execute the ALTER statement to add the 
username and password columns to the mismatch user table. 


ALTER TABLE mismatch—user ADD username VARCHAR(32) NOT NULL AFTER user_id, 
ADD password VARCHAR(16) NOT NULL AFTER username 


But our password column actually needs to be able to hold a 40- 
character encrypted string, so ALTER the table once more to make room 
for the larger password data. 


ALTER TABLE mismatch—user 

CHANGE password password VARCHAR(40) NOT NULL 


Now, to test out the new columns, let’s do an INSERT for a new user. 

INSERT INTO mismatch_user 

(username, password, join—date) VALUES (* jimi ', 


Dok /七 -Po\rgct {jo 
"tk password by ddlliha 
^ mo 仏 w 伽 . 

SHA('heyjoe'), NOW()) 


To double-check that the password was indeed encrypted in the database, take 
a look at it by running a SELECT on the new user. 


SELECT password FROM mismatch_user WHERE username = 1 jimi 


d sut^css-ful 
■bKis must be i\\t same 


And finally, you can simulate a log-in check by doing a SELECT on the 
username and using the SHA () function with the password in a WHERE clause. 


f>dssy/o\rd used 

v-oy/. 



SELECT username FROM mismatch—user WHERE password = SHA('heyjoe') 


File Edit Window Help OppositesAttract 


mysql> SELECT username FROM mismatch—user WHERE password = SHA( 1 heyj oe') 
H - h 

I username | uSC y- 

^passy/ord. 

+ - + 

1 row in set (0.0005 sec) 
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So the password is now encrypted, 
but we still need to build a log-in form. 
Could we just use HTTP authentication 
since it requires a username and 
password to access protected pages? 


O 


Yes! HTTP authentication will certainly 
work as a simple user log-in system. 

If you recall from the Guitar Wars high score application 
in the last chapter, HTTP authentication was used 
to restrict access to certain parts of an application by 
prompting the user for a username and password. That’s 
roughly the same functionality required by Mismatch, 
except that now we have an entire database of possible 
username/password combinations, as opposed to one 
application-wide username and password. Mismatch 
users could use the same HTTP authentication window; 
however, they’ll just be entering their own personal 
username and password. 



rCfUr mil ^ In thfcitar. 


N.Lrni 1 

Pjsswcwd 



nc standard HTTP 

W^Ao^n, is 

bvoy/scv--spc^i-fit> sc\rvc as 
3 simple lo$ 一 m uscv 


you are here ► 


357 









http authentication for mismatch 


Authorizing users with HTTP 

As Guitar Wars illustrated, two headers must be sent in order to restrict 
access to a page via an HTTP authentication window. These headers 
result in the user being prompted for a username and password in order to 
gain access to the Admin page of Guitar Wars. 



Tiicsc b^o iicadcvs mus*t be sc 灼 

•m ovdev *to vcs*t\rit*t BCCtss *to 3 
via HTTP 匕 ato 扒 . 


Sending the headers for HTTP authentication amounts to two lines of 
PHP code — a call to the header () function for each header being sent. 


header('HTTP/1.1 401 Unauthorized'); 

header('WWW-Authenticate : Basic realm= M Mismatch M '); 

少 

TVis is the \rcaU -fov 
au*tKchtita*b*ior», ^iW\c\\ affl»cs 
•to affkatiew. 


WTTP au-thch-tidati OY\ 


\rc^ui\rcs us io stv\d 
two headev-s. 


A use^ame av\d fassv/ov-d arc 



Whlcss a usc\r Chtcv-S the 
usc\rhamc a^d 

password, "they 匕如⑽七 
see o\r use this pa^e- 


To viEiv tWi papflt, y<iii need (o I 09 ii^ 

T.uiiiip Wirr am 

Tojr paivml Mil _ ： 喊 nf m 屬 f 
Niimf: ioi^k 

Pj^Hwrd: 1 


vc^uivcd m ovdev- *to 3 ddcss 
v-cstv*id*tcd pa^cs *m *tV>c ^uiiav- 
1/Vav-s afplitatioy>. 
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E%eRci$e 


Circle the different parts of the Mismatch application that are impacted by the Log-In script 
(login.php) and its usage of HTTP authentication to control access. Then annotate how 
those application pieces are impacted. 


Heve’s 七 he 


Lo^-k script 



login.php 



index.php 




viewprofile.php 



editprofile.php 
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exercise solution 





|OH 


Circle the different parts of the Mismatch application that are impacted by the Log-In script 
(login.php) and its usage of HTTP authentication to control access. Then annotate how 
those application pieces are impacted. 


login.php 

d uscv- lojs '\Y\, -thciv- 
uscv-^arwc and p3ssy/oV"d 
are c\\tcVtd the 

database -to c^suv-c -they 

a V-Cjistcircd uscir. 

mismatch user 


"The home page f lays ho 

V*olc ih uscir lo^ - ihs 
bc^usc i-t heeds -fco 
addcssiblc by all. 


|*P a \row iSh’ 七 -Pou^d ihat rwaithes 
the usev-^arwe password, -the Log 
|h s^vip-t displays dh c\r\ro\r messd^e 

如 d p\rcvc>r>-ts -fu\rthcv adless. 


Mm 


index.php 


iw»- 


*' IWill 




rofile 


r 

l/icwmj and 
editing profiles 
is \rcs-t\ri^icd, 

thai ov\\y 

lo 39cd ih USCV-S C^Y\ 

access -these pages. 


The Edit Pv-o-Pilc page hot 

o^ly 代 lies cm the L 03 |h 
s^\ript -Po\r rcsbr\titd BUtss, 
but i*t also heeds the usev-hdme 
•m o\rdc\r io dc-tc\rm*mc whidh 
f\ro^ilc "to edit- 


thereicire no ^ 

Dumb Questi9ns 


Why isn’t it necessary to include the home page when 
requiring user log-ins? 

Because the home page is the first place a user lands when 
visiting the site, and it’s important to let visitors glimpse the site 
before requiring a log-in. So the home page serves as both a teaser 
and a starting point—a teaser for visitors and a starting point for 
existing users who must log in to go any deeper into the application. 

Can logged-in users view anyone’s profile? 

Yes. The idea is that profiles are visible to all users who log 
in, but remain private to guests. In other words, you have to be a 
member of Mismatch in order to view another user’s profile. 


How does password encryption affect HTTP 
authentication? 

There are two different issues here: transmitting a password 
and storing a password. The SHA () MySQL function focuses on 
securely storing a password in a database in an encrypted form. The 
database doesn’t care how you transmitted the password initially, so 
this form of encryption has no impact on HTTP authentication. 
However, an argument could be made that encryption should also 
take place during the transmission of the password when the HTTP 
authentication window submits it to the server. This kind of encryption 
is outside the scope of this chapter and, ultimately, only necessary 
when dealing with highly sensitive data. 
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Logging In Users with HTTP Authentication 


The Log-In script (login . php) is responsible for requesting a username 
and password from the user using HTTP authentication headers, grabbing 
the username and password values from the $_SERVER superglobal, and 
then checking them against the mismatch_user database before providing 
access to a restricted page. 


<?php 

require once ( 'connectvars.php ') 


if (!isset($ SERVER['PHP AUTH USER']) 


: theahd password 

_ _ isset ($_SERVER[ 1 PHP_AUTH_PW' ] ) ) { t DCCh Chtc^cd, SChd 

// The username/password weren't entered so send the authentication headers the i j 

header ( ' HTTP/1.1 401 Unauthorized' ) ; _^ ^ / », 没饮 5 

header ( ' WWW-Authenticate : Basic realm= M Mismatch M ' ) ; - ' 0¥v\y C USCV". 

exit('<h3>Mismatch</h3>Sorry, you must enter your username and password to log in and access '. 

'this page .'); 

9v\d fassy/ov-d 
cr\*tcv"cd by uscv~. 


// Connect to the database 

$dbc = mysqli connect (DB HOST, DB USER, DB PASSWORD, DB NAME); 


// Grab the user-entered log-in data 
$user username = mysqli—real_escape 一 string($dbc, trim($_SERVER[ 1 PHP—AUTH USER 1 ])); 
$user password = mysqli—real_escape 一 string($dbc, trim($_SERVER['PHP_AUTH PW'])); 

// Look up the username and password in the database 


Pc\r-Po\rrh a ^ucv-y "to 
see a^y \rows rwatdli 
the use\fhdme dhd 

passwov-d. 

J 


$query = M SELECT user id, username FROM mismatch user WHERE username = '$user username' AND 
"password = SHA('$user password ') M ； 

$data = mysqli—query($dbc, $query); 


if (mysqli 一 num—rows($data) — 1) { 

// The log-in is OK so set the user ID 
$row = mysqli 一 fetch array($data); 

$user id = $row['user_id']; 

$username = $row['username']; 

} 

else { 

// The username/password are incorrect 
header( 1 HTTP/1.1 401 Unauthorized'); 
header('WWW-Authenticate : Basic realm=' 
exit('<h2>Mismatch</h2>Sorry, you must 
'access this page .')； 


and username variables 

a V"OY/ i*b 

is wC £-3^ 

'usev id fuscv"r\3w>c V3\ri3blcs. 




so send the authentication headers 


^ ho database \row -the 

uscv-h^rhc 3hd passwov-d, se^d 
the au-thch-tidatioh headev-s 
agaih "to \TC-f\rorhp-t the usev-. 


'Mismatch"'); 

enter a valid username and password to log in and 


// Confirm the successful log-in 

echo ('<p class= M login M >You are logged in as ' 


$username . '.</p>'); 


?> 


夕 


All is y/cll a*t t^'is po'mt, so 

匕 o 作 fivm i\\t sudtess-ful 


^ Build a new Log-In script that 
\ prompts the user to enter the 
username and password. 
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test drive mismatch 




Tesr DriVq 


Create the new Log-In script, and include it in the View Profile 
and Edit Profile scripts. 

Create a new text file named login . php, and enter the code for the Log-In script in 
it (or download the script from the Head First Labs site at www. headfirst labs • 
com/books/hfphp). Then add PHP code to the top of the viewprof ile . php 
and editprof ile . php scripts to include the new Log-In script. 

Upload all of the scripts to your web server, and then open the main Mismatch page 
in a web browser. Click the View Profile or Edit Profile link to log in and access the 
personalized pages. Of course, this will only work if you’ve already added a user with a 
username and password to the database. 

These "tv/o Irnks lead -fco the pv-o-tedted TK'»s passy/ov-d is SlW) cMv*'/? 七卞 



362 Chapter 7 


















building personalized web apps 


/Uy /Wismatdh page tha-t 
V"C^uiv"Cs I03 - ih suppoir ■{: ohly 
has "to ih^ludc the 

s^ipt at the vc\ry begihhihg 
or its dodc. 


r- once ('login.php') 

<html> 

<head> 

<title>Mismatch - View Profile</title> 

〈link rel= M stylesheet" type= M text/css" href= M style.css" /> 


n r> 


</headH 

Miimiscii « Prcrfll 兵 


Kim tm rfl 

Mismatch - Y icH. FroBJt 

IJjrfTnamK jnclli^ 

fir 沽 rutrit^ Jotua 
L&ii nMWti ycnSfs 
tlwdws Mak 

BirliuiMEt: l<?SM l-QJ 
IjncdftiriB ： AlhcJiif., Cl A 


Pkiurt;; 


wtfliH >isii UKs w wllr votir pjoW 



Both pages sighi-fy -fehc log-m 
with a ^Oh-fivma-tioh that is 
Provided by -the Log-|h sdv-ipt 


I-P -the uscv-y>amc ar\d fassv/ov-d 

diicdk out USCV is _ 

lo^ed \r\, dr>d rtsi o ( 七 he 
f>a^e is allowed *to load- 



R, DB—PASSWORD, DB NAME); 

I 

；abase 



TV Lo^-k stv'ifb is \uWAtd 
-f ivs*b m *tKc \/*c>m Prof ile 

a^d Edit Pvo^le sd^ifb -to 
tY\^OYtt usc\r 105 -ms. 



viewprofile.php 


^ no 


require once ( 1 login.php'); 


<html> 

<head> . 

<title>Mismatch - Edit Profile</ tit le> ” /、 

clink rel="stylesheet" type="text/css" href= style_css / 

MlKiTuvchi - EdSt PtoAip 



KVWJ rfl jn 

Mismatch - Edit PrAfik ： 

P-trsfintl IrJ&musiion- 
I s ir^ namt!: _hui 



Lasi iiamet 
GfBderE 
blrthtlBWE S^HI^U-aJ 


fl 


DB—PASSWORD, DB—NAME); 


ST 


l-lfh 5 E Aihfm 

Staler ST 




Pirturt.:' < ㈣ ，，“， 、 

/N 


(Jpa 








editprofile.php 


E 把 h usc\r is how p\rcsch-tcd 
with thci\r vevy owh dus-tomiz^d 
Misma-t^h CXpCV-iChdC- 



Connect the Log-In script to the 
rest of the Mismatch application. 
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mismatch needs a sign-up form 


Ruby loves ho\r\ro\r movies, dube puzdes, 
ahd spidy -food, but hates /VJismatdh 
at the I^omch-t -fo\r hot Ict-tihg hc^ 
sigh up av\d use the system. 




rd love to log in and start 
working on my profile, but I 
can’t figure out how to sign up. 



New Mismatch users need a way to sign up. 

The new Mismatch Log-In script does a good job of using 
HTTP authentication to allow users to log in. Problem is, 
users don’t have a way to sign up — logging in is a problem 
when you haven’t even created a username or password yet. 
Mismatch needs a Sign-Up form that allows new users to 
join the site by creating a new username and password. 


Username? 


Password? 
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A form for signing up new users 

What does this new Sign-Up form look like? We know it needs to allow the 
user to enter their desired username and password... anything else? Since 
the user is establishing their password with the new Sign-Up form, and 
passwords in web forms are typically masked with asterisks for security 
purposes, it’s a good idea to have two password form fields. So the user enters 
the password twice, just to make sure there wasn’t a typo. 

So the job of the Sign-Up page is to retrieve the username and password 
from the user, make sure the username isn’t already used by someone else, 
and then add the new user to the mismatch user database. 


Password ： p 料料料 4 




Ckk— 七 he Wf button 

vcsul*U \ y \ 七 he applidati 
add'm^ ar>d 

^dssy/ovd *to d3"tcib3sc 


TV^ f>dssy/ov*di is double—"to 

risk o-f an 

^>dssy/ordi yttmj sc*t *fo\r usev. 



K>OW 


One potential problem with the Sign-Up script involves the user attempting 
to sign up for a username that already exists. The script needs to be smart 
enough to catch this problem and force the user to try a different username. 
So the job of the Sign-Up page is to retrieve the username and password 
from the user, make sure the username isn’t already used by someone else, 
and then add the new user to the mismatch user database. 


Sih 以 the p 3 sswo\rds 

IhcyVc scduv-c eveh 
when vicwihj the ddiabase- 
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finish signup.php 


□ 


PHP& MySQL Magnets 

The Mismatch Sign-Up script uses a custom form to prompt the user 
for their desired username and password. Problem is, the script code 
is incomplete. Use the magnets below to finish up the script so new 
users can sign up and join the Mismatch community. 

蚪 on 


ttcvc s the 
""" ^* 0 ^—Wp -Pov» 




Mixiiuildi ^ Sinn Up 
rkw truer jwr Bcnarar am) ikwrf ㈣ 


LKTTXJffWi' 


PEs&wnnd 

frrtrtwy ： 

■ ■aajjj g 


■圓 


<?php 

require once( 1 appvars.php 1 ); 
require once( 1 connectvars.php ')； 

// Connect to the database 

$dbc = m y sqli—connect (DB_HOST, DB_USER, DB_PASSWORD, DB—NAME); 

if (isset($_POST['submit'])) { 

// Grab the profile data from the POST 

= myS qli—real_escape—string ($dbc, trim ($_POST ['... 

.=mysqli_real_escape_string ($dbc, trim ($_POST [ ’. 

.= myS qli—real_escape—string ($dbc, trim ($_POST [’ .’]))，• 

if (!empty($username) && !empty($passwordl) && !empty($password2) && 

( == )){ 

/ / Make sure someone isn't already registered using this username 

$query = n SELECT * FROM mismatch_user WHERE username ='. 

$data = mysqli_query($dbc ， $query); 
if (mysqli num—rows($data) == 0) { 

// The username is unique, so insert the data into the database ” 

$query="INSERT INTO mismatch_user (username, password, ]oin_date) VALUbb . 

Vo^i you have -to 

av\ apostv-ophe i-f it 

msidc o( Quotes. 

// Confirm success with the user , ^ ^ . 

echo ' <p>Your new account has been successfully created. You\ re now rea y 

， <a href="editprofile.php">edit your profile</a>.</p> ’； 


”（ ， ',SHA(' 

mysqli_query($dbc, $query); 


'),NOW() ) M ； 


mysqli_close ($dbc); 
exit (); 
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the completed signup.php 



PHP & MySQL Magnets Solution 

The Mismatch Sign-Up script uses a custom form to prompt the user 
for their desired username and password. Problem is, the script code 
is incomplete. Use the magnets below to finish up the script so new 
users can sign up and join the Mismatch community. 0 ^ n 


ttcvcs the 

-po\r» 


h^xrru£^h - 各穿 i ijp. 


Mismalth * Si 响 Up 
ric 议 cnlrr _ waiamc and ikwrd 卿霣 ㈣ 

IWiuww ； 


I Info 


<?php 

require once(▼appvars.php▼); 
require once( 1 connectvars•php 1 ) 


Pushword ^ 冒刊 ” 1 » 

(rrtypt )； 




// Connect to the database 

$dbc = mysqli_connect(DB_HOST, DB_USER, DB_PASSWORD, DB—NAME); 

^v-ab all o( -the usev" - eyrteved data, 

if (isset ($_POST [’ submit 1 ] ) ) { in^akma su\rc "to rt uP -Pilrs-t. 

// Grab the profile data from the POST 


$username 


mysqli real escape—string($dbc, trim($_POST[ 
$passwordl | = mysqli—real—escape—string($dbc, trim($_POST[ _ 
J $password2 | = mysq ii_ r eal_escape_string ($dbc, trim ($_POST [’ 


username 


L 1 ]))； 


passwordl r 1 ))； 


password 2 


])) 


if (! empty ($username) && ! empty ($passwordl) && ! empty ($ P assword2) && Chcdk jo make su\rC ihai 

___ _ y\OY\C <A -the -Pov-rw -fields 

$passwordl | == |$password2^|) ) { ^ a\rc Cmfiy av\d ihai 

//Make sure someone isn't already registered using this username ㈣ passy/ovds math. 

$guerv= n SELECT * FROMmismatch_user WHERE username = ' J ； 丨 .p 

PcV**foVm d <\IaCV"Y 

$data = mysqli_query ($dbc, $ query); 扣 y 

if (mysqli num rows($data) == 0) { 

//The use"rname is unique, so insert the data into the database 

$query="INSERT INTO mismatch_user (username, password, ]oin_date) VALUbb . 

_I - ( AT 。口 ,、、 ” is -Pou^d , 七 he 

^usern^^^,' ， SHA ( 1 


$passwordl~k ' ^ N0W ()) ’’ ; 


use\rMrwe is u^i^uc, so v/C dahl 

mysqli query ($dbc, $query) ; 乂 Bi*thc\r passy/o\rd dould be used hcirc 匕針 y 伽七仏亡 INSERT- 

sihde they rwusi be equal -to act b> this Poiht 

// Confirm success with the user , ^ ^ • n . 

echo '<p>Your new account has been successfully created. You\ re now rea y . 

'<a href="editprof ile .php">edit your prof ile</a> . </p> ’ ； 

Coy>-fiv*m sudtess-ful 

mysqli_close($dbc); ^ ^ ^ 

} exlt ()' ^ ad art Wift 
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else { 

//An account already exists for this username, so display an error message 

echo '<p class= n error，，>An account already exists MArname. P eas( 

'address.</p>'; 


$username 


Clcav- the 

fusev-ha^e 
variable so that the 
*Po\rm -field is cleared- 


for this username. Please use a different ’ . 

uscv*ir\3i^C is r\o*b 
so display 
cvvo\r 州 essay. 


e icho { -<p ciass=-error->Youmust enter all of the sign-up data, including the desired password 
▼ twice.</p〉▼/ 


V. 


Oy\C o\r rwo\rc of "the -foVrw -fields 
Crupty, so display 如 c\r\ro\r messd^e- 


mysqli—close($dbc); 

?> 

<p>Please enter your username and desired password to sign up to Mismatch. </p> 
<form method= ,, post , ' action="<?php echo $_SERVER [ ’ PHP—SELF ’ ] ’ ？>’’> 

<fieldset> 

<legend>Registration Info</legend 〉 

〈label for= n username n >Username: 〈 /label 〉 


〈input type="text" id= 


username 


name: 


username 


value= M <?php if (! empty ( | $username 


))echo 


$username 


；?> M /xbr /> 


<label for=’ 
<input type: 
<label for=' 
<input type= 


passwordl 


'>Password:</label> 


厂 password^ ” id=” J passwordl 


name 1 


pas 


swordl 


/xbr /> 


password2 [">Password (retype) : 〈 /label 〉 

'name=" 


I password 


id= 


password2 


I password 2 1. 


/xbr /> 


</fieldset> . 

〈input type= M submit" value="Sign Up" name="submit" /> 

</form> 


thereicire no o 

Dumb QuestiQns 



Q/ Why couldn’t you just use HTTP authentication for signing 
up new users? 

Because the purpose of the Sign-Up script isn’t to restrict 
access to pages. The Sign-Up script’s job is to allow the user to 
enter a unique username and password, and then add them to the 
user database. Sure, it’s possible to use the HTTP authentication 
window as an input form for the username and password, but the 
authentication functionality is overkill for just signing up a new user. 
It’s better to create a custom form for sign-ups—then you get the 
benefit of double-checking the password for data entry errors. 


So does the Sign-Up script log in users after they sign up? 

No. And the reason primarily has to do with the fact that the 
Log-In script already handles the task of logging in a user, and 
there’s no need to duplicate the code in the Sign-Up script. The 
Sign-Up script instead presents a link to the Edit Profile page, which 
is presumably where the user would want to go after signing in. And 
since they aren't logged in yet, they are presented with the Log-In 
window as part of attempting to access the Edit Profile page. So the 
Sign-Up script leads the user to the Log-In window via the Edit Profile 
page, as opposed to logging them in automatically. 
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adding a sign-up link 


frive users a chance to sign up 


We have a Sign-Up script, but how do users get to it? We need to let users 
know how to sign up. One option is to put a “Sign Up” link on the main 
Mismatch page. That’s not a bad idea, but we would ideally need to be able 
to turn it on and off based on whether a user is logged in. Another possibility 
is to just show a “Sign Up” link as part of the Log-In script. 

When a new user clicks the “View Profile’’ or “Edit Profile” links on the main 
page, for example, they’ll be prompted for a username and password by the 
Log-In script. Since they don’t yet have a username or password, they will 
likely click Cancel to bail out of the log-in. That’s our chance to display a link 
to the Sign-Up script by tweaking the log-in failure message displayed by the 
Log-In script so that it provides a link to signup . php. 

Here’s the original log-in failure code: 




V^ow *to up -fov- 


exit('<h3>Mismatch</h3>Sorry, you must enter your username and password to log in and access 
'this page .')； 


This code actually appears in two different places in the Log-In script: when 
no username or password are entered and when they are entered incorrectly. 
It’s probably a good idea to go ahead and provide a “Sign Up’’ link in both 
places. Here’s what the new code might look like: 


丁 his Codt is rrtudK Hf»o\rc 

sihdc it gchcvatcs a 

l_hk "to 产 r>X 



exit('<h2>Mismatch</h2>Sorry, you must enter a valid username and password to log in and '. 

'access this page. If you aren\'t a registered member, please <a href= M signup.php M >sign up</a> 


d y\ov*mdl HTML "to 



sdr'ift. 
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Tesr DriVq 


Add Sign-Up functionality to Mismatch. 

Create a new text file named signup . php, and enter the code for the Sign-Up script in 
it (or download the script from the Head First Labs site at www. headfirst labs • com/ 
books/hfphp). Then modify the login . php script to add links to the Sign-Up script for 
users who can’t log in. 

Upload the scripts to your web server, and then open the Sign-Up page in a web browser. 
Sign up as a new user and then log in. Then edit your profile and view your profile to 
confirm that the sign-up and log-in worked correctly. The application now has that 
personalized touch that’s been missing. 


讦丁 TP 

is -to log i h /? u by 
based oh hcv* si0h—up 
ih-fovma-tioh. 
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mismatch also needs to let users log out 



I share a computer with two 
roommates, and rd rather 
they not have access to my 
Mismatch profile. I need to 
be able to log out! 


Community web sites must allow users to log out so 
that others can’t access their personal data from a 
shared computer. 

Allowing users to log out might sound simple enough, but it presents 
a pretty big problem with HTTP authentication. The problem is that 
HTTP authentication is intended to be carried out once for a given page 
or collection of pages — it’s only reset when the browser is shut down. In 
other words, a user is never “logged out” of an HTTP authenticated web 
page until the browser is shut down or the user manually clears the HTTP 
authenticated session. The latter option is easier to carry out in some 
browsers (Firefox, for example) than others (Safari). 


To ThU pogh ypu nwd cn tag In to 
▲M kmdJStV on 

Vour ■will arprl In ihc 


Oy\U you I05 \y\, you 
s*bay m u 灼七 il you 
dlosc 七 he bv-oy/scv-. 







Name. sidn^vk 


Pj^waril. S 



f Cineil j f login 






/\ 105-out *fca*tu\rc 
y/ould sllow Sidney "to 
^av-c-fully cov\bro\ autss 
{p ilCV- pcV-SOir\al 


Even though HTTP authentication presents a handy and simple way to 
support user log-ins in the Mismatch application, it doesn’t provide any 
control over logging a user out. We need to be able to both remember 
users and also allow them to log out whenever they want. 
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Wouldn t it be dreamy if we could 
remember the user without keeping them 
logged in forever. Am I just a hopeless 
PHP romantic? 
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introducing cookies 


Sometimes you just need a cookie 


The problem originally solved by HTTP authentication is twofold: there 
is the issue of limiting access to certain pages, and there is the issue of 
remembering that the user entered information about themselves. The 
second problem is the tricky one because it involves an application 
remembering who the user is across multiple pages (scripts). Mismatch 
accomplishes this feat by checking the username and password stored 
in the $_SERVER superglobal. So we took advantage of the fact that 
PHP stores away the HTTP authentication username and password in a 
superglobal that persists across multiple pages. 


HTTP autkentication 

stores data persistently 
on tke client tut doesn’t 
allow you to delete it 
wken you’re done. 


Ta ihi>: pjqp, ■few ne^d cn tog In to 
^ linT'dtth' on www. 

Vcur will In 


hljirve. sidn^vk 
P*bswrii 


n 4rrr«mbcr Eh 的 nai-iwwd (n my kcvc-hj'n 


•' ! ln 


SERVER [ ' PHP—AUTH—USER'] 

$ SERVER['PHP AUTH PW 1 



The f_£BRVBR 

supcv-global s-fcov-cs 
the dhd 

passwovd pcv-sis-tchtly. 


Cookies allow you to 
persistently store small 
pieces oi data on tke 
client tkat can outlive 
any single script … and 
can te cteletect at will! 


But we don’t have the luxury of HTTP authentication anymore because 
it can’t support log-outs. So we need to look elsewhere for user persistence 
across multiple pages. A possible solution lies in cookies, which are 
pieces of data stored by the browser on the user’s computer. Cookies are 
a lot like PHP variables except that cookies hang around after you close 
the browser, turn off your computer, etc. More importantly, cookies can 
be deleted, meaning that you can eliminate them when you’re finished 
storing data, such as when a user indicates they want to log out. 



Store 
cookie data 


Web server 



. 


Retrieve 
cookie data 




Client web 
browser 


Cookie data is stored on the user’s computer by their web browser. You 
have access to the cookie data from PHP code, and the cookie is capable 
of persisting across not only multiple pages (scripts), but even multiple 
browser sessions. So a user closing their browser won’t automatically log 
them out of Mismatch. This isn’t a problem for us because we can delete 
a cookie at any time from script code, making it possible to offer a log-out 
feature. We can give users total control over when they log out. 
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Whaf s iw a cookie? 

A cookie stores a single piece of data under a unique name, much 
like a variable in PHP. Unlike a variable, a cookie can have an expiration 
date. When this expiration date arrives, the cookie is destroyed. So cookies 
aren’t exactly immortal — they just live longer than PHP variables. You can 
create a cookie without an expiration date, in which case it acts just like a 
PHP variable — it gets destroyed when the browser closes. 



Name 

The unique name of the cookie 

一 Value 

The value stored in the cookie 


Expiration date 


The date when the cookie 


expires... and meets its demise 


Cookies allow you to store a string of text under a certain name, kind of 
like a PHP text variable. It’s the fact that cookies outlive normal script 
data that makes them so powerful, especially in situations where an 
application consists of multiple pages that need to remember a few pieces 
of data, such as log-in information. 



Scttmj a dookic^s 

date -fav- 

•m*to the -fuiu\rc mdkes 
•t rwov-c J>C\rrwa^C^-t. 



No 七 ^ 

c%piv"a*tioir\ date at 

all causes a Cookie *to 
be deleted *t^c 
Wov/scv" is closed- 


So Mismatch can mimic the persistence provided by the $_SERVER 
superglobal by setting two cookies — one for the username and one for the 
password. Although we really don’t need to keep the password around, it 
might be more helpful to store away the user ID instead. 



Dumb Questi 9 ns 

What’s the big deal about cookies 
being persistent? Isn’t data stored in a 
MySQL database persistent too? 

Yes, database data is most certainly 
persistent. In fact, it's technically much more 
persistent than a cookie because there is 
no expiration date involved—if you stick 
data in a database, it stays there until you 
explicitly remove it. The real issue in regard 
to cookies and persistence is convenience. 
We don’t need to store the current user’s ID 
or username for all eternity just to allow them 
to access their profile; we just need a quick 
way to know who they are. What we really 
need is temporary persistence, which might 
seem like an oxymoron until you consider the 
fact that we need data to hang around longer 
than a page (persistent), but not forever. 
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the setcookief) function 

Use 

#ak€- cookies with PHP 

PHP provides access to cookies through a function called setcookie () 
and a superglobal called $_COOKIE. The setcookie () function is 
used to set the value and optional expiration date of a cookie, and the 
$_COOKIE superglobal is used to retrieve the value of a cookie. 


setcookie('username', 


The -Piv-si 

"to sct^ookicO is the 
o( the Cookie- 


Sidneyk'); — 

r 

The value bo be 如 
m tKc tookic »s passed 

as i\\t sttov\A 



echo('<p class="login">You are logged in as ▼ . $ COOKIE['username'] 


丁 he o-p "the Cookie is used 

■to -the Cookie vdlue 

•m the f_C00^IB sup 饮 global. 


•</p>') 


The power of setting a cookie is that the cookie data persists across 
multiple scripts, so we can remember the username without having to 
prompt the user to log in every time they move from one page to another 
within the application. But don’t forget, we also need to store away the 
user’s ID in a cookie since it serves as a primary key for database queries. 


Tke PHP 

setcookieO function 
allows you to store 
data in cookies. 


setcookie('user_id', '1'); 

Cookies arc always sWd as 
七 so cvcr\ *bV^c usev 

|P is a number, wc siorc i*b m 
a Cookie as i\\t T. 




The setcookie () function also accepts an optional third argument 
that sets the expiration date of the cookie, which is the date upon which 
the cookie is automatically deleted. If you don’t specify an expiration 
date, as in the above example, the cookie automatically expires when the 
browser is closed. 
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:^l|^rpei your pencil 


Switching Mismatch to use cookies involves more than just writing a new 
Log-Out script. We must first revisit the Log-In script and change it to use 
cookies instead of HTTP authentication. Circle and annotate the parts of 
the Log-In code that you think need to change to accommodate cookies. 


<?php 

require 一 once('connectvars.php ')； 

if (!isset($_SERVER['PHP_AUTH_USER']) I I !isset($— SERVER [' PHP AUTH PW'])) { 

^ 3 == n ，? e/PaSSWOrd WGren，t ente r e d s。send the authentication headers 
header('HTTP/1.1 401 Unauthorized'); 

header('WWW-Authenticate: Basic realm="Mismatch M ')； 

exitC<h3>Mismatch</h3>Sorry, you must enter your username and password to ' 

ogm and access this page. If you aren\’t a registered member, please 1 
) <a href= 'signup.php M >sign up</a >.')； • 

// Connect to the database 

$dbc = mysqli 一 connect(DB—HOST, DB—USER, DB—PASSWORD, DB NAME); 

// Grab the user-entered log-in data 

$user_username = mysqli_real_escape_string($dbc, trim($—SERVER 「 PHP AUTH USER-1)) 
$user_password = mysqli_real_escape_string($dbc, trim($—SERVER['PHP:AUTH 二 PW'])); 

// Look up the username and password in the database 

- 'SELECT user—id, username FROM mismatch—user WHERE username = M 
$user_username' AND password = SHA('$user_password ') M ； 

$data = mysqli 一 query($dbc, $query); 

if (mysqli 一 num—rows($data) == 1 ) { 

〈/The log-in is OK so set the user ID and username variables 
$row = mysqli 一 fetch—array($data); 

$user_id = $row['user id']; 

$username = $row['username']; 

else { 

^he username/password are incorrect so send the authentication headers 
header('HTTP/1.1 401 Unauthorized 1 )； 
header ( ! WWW-Authenticate : Basic realm= !T Mismatch n f )； 

exit('<h2>Mismatch</h2>Sorry, you must enter a valid username and password - 

,° l0g in and access thls Page. If you aren\'t a registered member,' 
please <a href= M signup.php M >sign up</a >.')； 


?> 


// Confirm the successful log-in 

echo('<p class="login">You are logged in as 


$username • '.</p >')； 


login.php 
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sharpen your pencil solution 


(^iterpen your pencil 

Solution 


tkttd {jo dhcdk -Pov the 
c^isicr^dc of a dookic to 
see i-f 七 he useir is lo^ed \y\ 

o\r 灼 ot 


Switching Mismatch to use cookies involves more than just writing a new 
Log-Out script. We must first revisit the Log-In script and change it to use 
cookies instead of HTTP authentication. Circle and annotate the parts of 
the Log-In code that you think need to change to accommodate cookies. 


Instead usc\nr>amc av\d 

^dssv/o\rd -fvom 朽 v/mdov /； 

v/e Med *to use a -fovm v/i*th POST da*ta- 


<?php 

require_once('connectvars.php ')； 




l/\fe y\o 
v\ttd bo 

st^A HTTP 

au*tV^Cir\*b^a*tior\ 

iicadcv-s. 


lf ^,^ SGt ($ ~ SERVER[ ' PHP — AUTH —USER 1 ] ) I I !isset ($—SERVER [ I PHP AUTH PW ,_ ] V) { 

h ~^^ n ^ e/PCiSSW - rd WereU 1 - Lhe auLh.nUcallon headers 

header ('HTTP/1.1 401 Unauthorized ')； 

header('WWW-Authenticate : Basic realm= M Mismatch M ') • / 

— iV ks^tcn</n3>Sorry, you must enteT^^ername and password to - 
log in and access this page. If you aren\-t a registered member, please ' 

<a href- signup.php M >sign up</a >.')； 

// Connect to the database 

$dbc = mysqli 一 connect(DB—HOST, DB—USER, DB—PASSWORD, DB NAME); 

// Grab the user-entered log-in data _ _. 

fuser—username - mysqli—real—escape—string($dbc, trirff^^SERVER['PHP AUTH USER'1 V 
$user_password = mysqli_real_escape_string ($dbc, tri^($~SERVER[ - PHP>UTH>W ']))； 

// Look up the username and password in the database 

$ q 二 , 7 — " SELECT user —id, username FROM mismatch—user WHERE username 
$user_username' AND password = SHA('$user_password ') M ； 

$data = mysqli—query($dbc, $query); 


if (mysqli 一 num— rows($data) == 1 ) { 

// The log-in is OK so set the user 
$row = mvser.” 一 fPkln 卜〕、 ； 


ID 




user_id : 
username 


$row[▼user 一 id 
: $row['username 


■ne^/ 


else 


The <\uc\ry doesh't 

have -bo at all/ 

and username variables 

Hcvc WC \r\ccd *to SC*b 

*U/o Cookies 'ms*bcad of 

: 七七 script vavisblcs. 


•Username/password are incorrect so send the authentication headers 
header ( ' HTTP/1.1 401 Unauthorized'); - - - 

Reader('WWW-Authenticate : Basic realm="Mismatch M ') 

) ⑷祕 L enLer a V^rTTlTsername and password 
o og in and access this page. If you aren\'t a registered member,' 


'please <a href= M signup.php M >sign up</a >.')； 


?> 


// Confirm the successful log-in 

echo ('<p class= M login M >You are logged in as 


$username • '.</p>') 


V/C rely oy> *tKc HTTP au*tKcv>tidatioir> Window 
-fov- cy>*tcv-*m5 ihe uscv-r>amc a^d passv/o\rd, v/c need -to 

Creaic HTML L03 一 I 灼 -fo\rm (or Acm- 


login.php 
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Rethinking the flow of log-ms 

Using cookies instead of HTTP authentication for Mismatch log-ins 
involves more than just rethinking the storage of user data. What about 
the log-in user interface? The cookie-powered log-in must provide its 
own form since it can’t rely on the authentication window for entering a 
username and password. Not only do we have to build this form, but we 
need to think through how it changes the flow of the application as users 
log in and access other pages. 







HTTP 

Wrndoy/ 

-fov uscvr\amc 

aytd passy/ovd -fov- lo^-ms. 


C\r 


sudtcss-Pully 
the usev- is \rcdivcdicd 
ba^k -fco -the home page, 
wheve "the now \rcvcals 
ihai -they avc lo^ed m. 



I/Vhe 灼⑽七 lo^ed •m, the 

rwembev-s av-c 

displayed as siaiit. ^a^es. 


index.php 



㈣ 


TiiC Lo^-Out st\rip*t is 
aMessible via a lm “ is 
f3V"*t o-f lo^—m s*t3*tus. 


■ Vlpw FrrrfUf 

£l«dfr: Ffmrfe 

ikrUKR IflM 布■導 m 
l^r«dr» 


ffVwrt,' 








Rcs-bv'ittcd 
>>/ accessible s\y\tc 
f -bv^c usc\T IS lo%cd w 


， Vjct- ftBfit 

H 叫 The 

^vigatioh mchu 
ihdudes a Log 
Out lihk that 

also shows -the 

usevhame o-p -the 

1 <>咖 \ y \ USCV-. 



A-Ptc^r Io 00 ih^ •…， the 
latest r»Crhbc\r hdmes 
fihanjc "to links -fco theiv 
^resped-tive p\ro^ilc views. 



index.php 


viewprofile.php 
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login.php — now cookie-powered! 


A cookie-powered log - iw 

The new version of the Log-In script that relies on cookies for log-in 
persistence is a bit more complex than its predecessor since it must 
provide its own form for entering the username and password. But it’s 
more powerful in that it provides log-out functionality. 


^ no 


WfcymJtttl ■ Login 


MucemUh - In 
Usernsm^ 



In 


<?php 

require_once('connectvars.php'); 

// Clear the error message 
$error msg =""; 


messages av-c how s-tov-cd 
a Viable 3hd displayed, i-f 
latcv- ih the Wi 


hc^cssav-y, 




// If the user isn't logged in, try to log them in 

if (!isset($_COOKIE['user—id'])) - 

if (isset($_POST['submit'])) 

// Connect to the database 
$dbc = mysqli connect(DB HOST, DB USER, DB PASSWORD, DB NAME); 


login.php 
ttev-cs the hCW 

Log—|h -fo\rrn. 


Wipt. 

CV^ctk i\\t uscv-_»d took'ic *to 
see i-P user is \oofytd *m- 

l*f the usev* lo^ed 

•m, see i-f they’ve 

submi-tied da-ta. 

TVic uscv--cr\*tcv-cd data 


// Grab the user-entered log-in data 
$user username = mysqli real_escape_string($dbc, trim($—POST['username'])); 
$user password = mysqli real escape string($dbc, trim($ POST['password'])); 


y\o>n tomes -from -fov-m 

_ POST daia mstcad o-f 

if ( ! empty ($user_username) && ! empty ($user—password) ) { ' ^ ^ V/lhdoV/- 

'$user username' AND ". 


// Look up the username and password in the database 

$query = "SELECT user id, username FROM mismatch 一 user WHERE username 
"password = SHA ('$user—password; 

$data = mysqli query($dbc, $query); 


L03 ih the usc\r by settmg 

⑽饮 __id 3 hd Cookies. 


/ index.php 


if (mysqli—num—rows($data) == 1) { 

// The log-in is OK so set the user ID and/username cookies, and redirect to the home page 
$row = mysqli fetch 一 array($data); 
setcookie('user—id', $row['user—id']); 
setcookie('username ', $row['username']); 

$home_url = 'http://' . $_SERVER['HTTP_HOST'] . dirname($_SERVER['PHP_SELF']) 

header('Location : ' . $home_url); 

} _ 

else { 

// The username/password are incorrect so set an error message 
$error_msg = 'Sorry, you must enter a valid username and password to log in.' 

} 


else 


// The username/password weren't entered so set an error message 
$error msg = 'Sorry, you must enter your username and password to log in. 


Rcd'iv-ct*t usev 
*to Alisma'ttK 
liomc pay upov> a 

sutdess-ful 




?> 


<html> 

<head> 

<title>Mismatch - Log 工 n</title> 

clink rel= M stylesheet M type= M text/ css" href= M style.css" / > 
</head> 

<body> 

<h3>Mismatch - Log In</h3> 




1 hues 


o" ihe -Pa^ihj page... 



Set -the C\r\ro\r messol^e 
vaviablc i-f is 

w\tok^ with ihc log-*m data. 


TKc Lo^-U sCx\yi IS yvoy/ d -full 

y/eb so *i*t vc^uircs all 
sla^dard HTML elemerrb. 


380 Chapter 7 
















building personalized web apps 


<?php 

// If the cookie is empty, show any error message and the log-in form; otherwise confirm the log-in 
if (empty($_COOKIE['user_id'] ) ) { 

echo '<p class= M error M >' . $error msg . '</p>'; 


?> 


<form method= M post M action= M <?php echo $_SERVER['PHP—SELF']; ?>"> 

<fieldset> 

<legend>Log In</legend> 

〈label for= M username">Username :</ label 〉 

<input type="text" id= M username" name="username" 

value= M <?php if (!empty($user username)) echo $user username; ?> 
<label for="password">Password:</label> 

<input type="password" id="password" name="password" / > 

</fieldset> 

<input type= M submit" value="Log In" name="submit" / > 

, pviov *to *tiVis duvly bvadc 

<?php / — IS still pav*t o( -fl-f clause. 


l-f usev still lo^cd 
•m a 七 Ais 5° 

av\d s\\o>n iiic cv-vo\r message. 



/ Xbr /> 

"These two -fo\nr»» -fields 

used "to the 

passwo\rd -fo\r ih. 



else { 

// Confirm the successful log in 

echo('<p class= M login M >You are logged in as 

} 


|-f usc\r is 105yd m a*t 
pom 七 , jus*t *tcll so- 


COOKIE['username'] . '.</p>'); 


?> 


</body> 

</htmi> "the HT/WL Code h> 

Complete the Log-|h web page. 


ihereictre no ^ 

Dumb Questions 


Why is it necessary to store both 
the user ID and username in cookies? 

Since both pieces of information 
uniquely identify a user within the Mismatch 
user database, you could use either one for 
the purpose of keeping up with the current 
user. However, user_id is a better (more 
efficient) user reference with respect to the 
database because it is a numeric primary 
key. On the other hand, user_id is fairly 
cryptic and doesn't have any meaning to the 
user, so username comes in handy for letting 
the user know they are logged in, such as 
displaying their name on the page. Since 
multiple people sometimes share the same 
computer, it is important to not just let the 
user know they are logged in, but also who 
they are logged in as. 


Then why not also store the 
password in a cookie as part of the log-in 
data? 

The password is only important for 
initially verifying that a user is who they 
claim to be. Once the password is verified as 
part of the log-in process, there is no reason 
to keep it around. Besides, passwords 
are very sensitive data, so it's a good idea 
to avoid storing them temporarily if at all 
possible. 


It looks as if the form in the 
Log-In script is actually inside the if 
statement? Is that possible? 

Yes. In fact it’s quite common for PHP 
code to be “broken up” around HTML code, 
as is the case with the Log-In script. Just 
because you close a section of PHP code 
with ?>, doesn’t mean the logic of the code 
is closed. When you open another section of 
PHP code with <?php, the logic continues 
right where it left off. In the Log-In script, the 
HTML form is contained within the first if 
branch, while the else branch picks up 
after the form code. Breaking out of PHP 
code into HTML code like this keeps you 
from having to generate the form with a 
bunch of messy echo statements. 
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mismatch’s dynamic menu 


Navigating the Mismatch application 


The new Log-In script changes the flow of the Mismatch application, 
requiring a simple menu that appears on the home page (index . php). 
This menu is important because it provides access to the different major 
parts of the application, currently the View Profile and Edit Profile pages, 
as well as the ability for users to log in, sign up, and log out depending on 
their current log-in state. The fact that the menu changes based on the 
user’s log-in state is significant and is ultimately what gives the menu its 
power and usefulness. 


丁 his mchu appca\rs y/keh B 
usc\r is hot logged ih, givihg 
ihervt dh oppo\rtuhi-ty -fco 
ci*tlic\r log ih o\r si^h up. 


曾 Sian Up 


■rfti 




Ruby 



Jflhaci 


A is shov/h 

dcpchdihj Oh whether the 

uscv*h3rwc Cookie is set 


Paul 


— = 


DitniK 


Jbsod 




丁 he ihdcx.php sdvip-t 
khows -to show -the 
limrtcd r^Chu 
it 亡 ah 七 ihd "the 
uscirhamc Cookie. 


The menu is generated by PHP code within the index . php script, and 
this code uses the $—COOKIE superglobal to look up the username cookie 
and see if the user is logged in or not. The user ID cookie could have also 
been used, but the username is actually displayed in the menu, so it makes 
more sense to check for it instead. 
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Ajlna^ -Wbrire HOppaiiitft Jinr^ft! 


Ti^C userid dookic isr\ *t 

used -foV" *tV^c d»-f-fcvcr\*t 
mCK\us W 七 is s 七 ill 
'imfov*tay\*t -fo\r Misma*Uii 

user pevsis 七 eMe. 


oppoat^ attract 


sidneyk 


username 


USCV-^dmC 


dookic also lets 


the 


khow 


user 


I 。於 ed 


y/no 


is 


m 


D.kailir 


The uscv-^arwc 乙 ooki( 
dctc\rrhihcs 
^Chu is displayed 


Mcr\u -for 105 yd 


'm USCV"S 


// Generate the navigation menu 
if (isset($_COOKIE [ 1 username']) 

echo '&#10084; <a href="viewprofile.php">View Profile</a>^or / > 
echo '&#10084; <a href="editprofile.php">Edit Profile</a>Kbr / >'; 
echo * & #10084; <a href="logout.php">Log Out (▼ . $ COOKIE[’username’] 


，） </a> 


else { 
echo 
echo 


&# 10084 ; 

&# 10084 ; 


<a href ： 
<a href ： 


login.php">Log In</a><br / > 
signup.php">Sign Up</a> 1 ; 


\ 


TV little \\tari symbols 心七 *to 
cbcM 州 er\u av-c made possible 





s 


Alchu -Po\r visi-fcov* 
(use\rs who a\rch ； -t 
logged ih) 


by 七 iVis HTML tv\hb/, ,s 

supported ov\ mos*t bvov/scv"S. 
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log out users by deleting cookies 



Sidney is 
still 

*to lo^ 




oui 


Hello, remember 
me? I still really, 
really need to log out. 


We really need to let users log out. 

Cookies have made logging into Mismatch and navigating the site a bit 
cleaner, but the whole point of switching from HTTP authentication to 
cookies was to allow users to log out. We need a new Log-Out script that 
deletes the two cookies (user ID and username) so that the user no longer 
has access to the application. This will prevent someone from getting on 
the same computer later and accessing a user’s private profile data. 

Since there is no user interface component involved in actually logging 
out a user, it’s sufficient to just redirect them back to the home page after 
logging them out. 


■ftnn 





logoutphp 


The LoJ-0u*t sdv-ift 
deletes usev 
I03 一 m dookics 
vcdiv-cd*ts badk *to 
七 he home 
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Logging out means deleting cookies 


Logging out a user involves deleting the two cookies that keep track of the 
user. This is done by calling the setcookie () function, and passing an 
expiration date that causes the cookies to get deleted at that time. 

The du\r\rch-t tirwc Scto^ds 

s 

setcookie('username', 'sidneyk', time() + (60 * 60 


Alihu-tcs 


ttouv-s 





This code sets an expiration date 8 hours into the future, which means the 
cookie will be automatically deleted in 8 hours. But we want to delete a 
cookie immediately, which requires setting the expiration date to a time in 
the past. The amount of time into the past isn’t terribly important — just 
pick an arbitrary amount of time, such as an hour, and subtract it from 
the current time. 

setcookie(▼username', 'sidneyk', time() - 3600); 

i>0 sctoi^ds ^ mmu'tcs == - 1>^00 _ 
seto^ds, v/liidii is I Kouv m*to {ht fast 


To^cr, -tW.s 
sc*b da-tc 

七 IS G Kou\rS 
七 he tuv-v-cy\*t 


To delete a 
cookie，just set its 
expiration date to 
a time in tke past . 



E%ettciSe 


The Log-Out script for Mismatch is missing a few pieces of code. Write the missing code, making 
sure that the log-in cookies get deleted before the Log-Out page is redirected to the home page. 


<?php 

// If the user is logged in, delete the cookie to log them out 
if ( ) { 

// Delete the user ID and username cookies by setting their expirations to an hour ago (3600) 


// Redirect to the home page 

$home_url = 'http://' . $_SERVER['HTTP—HOST'] . dirname($_SERVER['PHP—SELF']). 
header('Location : ' . $home url); 


?> 
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the complete logout.php script 



The Log-Out script for Mismatch is missing a few pieces of code. Write the missing code, making 
sure that the log-in cookies get deleted before the Log-Out page is redirected to the home page. 


<?php 

//If the user is logged in, delete the cookie to log them out ^ly lo^ ou*t 3 USCV* i-f 七 hey 

if ( issciff^COOmruse^Jd'J) ) { <： - -- ^ w al,rcad y lo 99 cd 

// Delete the user ID and username cookies by setting their expirations to an hour ago (3600) 

sctdookic^uscv- id^ U , timcO - ^ , i . 丄 、 ^ 

.—... .. ^ Set took.c to an V^ouv d di / ,,, 

sdookWsm^me’， u , *timcO - Z^>00); ^ m past so aa .,., 

).^ a. ^ b Y s Y ^. 

如 absolute URL. 

// Redirect to the home page 

$home_url = 'http: // ' . $_SERVER ['HTTP—HOST ' ] . dirname ($_SERVER [ ' PHP_SELF ' ] ) . ' /•mdeX.f.hp 

header('Location : ' . $home url); 

?> A \ocahov\ iicadcv results *m *tKc 

bvov/sev vcdiv-cdtm^ *to ay>o*tKcv fa^c- 




Tqst DriVq 


Use cookies to add Log-Out functionality to Mismatch. 


Modify the Mismatch scripts so that they use cookies to allows users to log in and out (or 
download the scripts from the Head First Labs site at www. headfirst labs • com/ 
books/hfphp. The cookie modifications involve changes to the index . php, login . php, 
logout. php, editprof ile . php, and viewprof ile . php scripts. The changes 
to the latter two scripts are fairly minor, and primarily involve changing $user_id and 
$username global variable references so that they use the $_COOKIE superglobal instead. 

Upload the scripts to your web server, and then open the main Mismatch page (index . php) 
in a web browser. Take note of the navigation menu, and then click the “Log In” link and log 
in. Notice how the Log-In script leads you back to the main page, while the menu changes to 
reflect your logged in status. Now click “Log Out” to blitz the cookies and log out. 
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' 嗶 Film 1 


Mk-tnulcfa - Whm 叩 

拳 Lflfa 

K L ■ 


nr 




Cookies a\rc 
^\rcatcd -to 
\rcrwcrhbc\r the 
usc\r dhd lo^ \v\. 1 



t 




}va 


^ ^ n 

WAwij-r iLomkL 

MJhmIcIi «L014 Jin 

b— 

— . ■ 

T-^fc run •: 


rHViv#. -Mu- I 

[La^ap "1 

^1 





Mivmmdb ■ Vfcw Fr^ 




r 


Cookies av-c *t^v-oy/r\ 
av^ay *to -fov^ct 七 he 

usc\r 3 r\d loj out 


thereiare no ^ 

Dumb Questi9ns 




IVliefi Ofip^ll^ *Hnis1 




Logging in and 
out of Mismatch 
is now controlled 
entirely by cookies- 




v/V^ilc siic s av/ay. 


So simply deleting the cookies is all that is required to log out? 

Yes. Cookies are responsible for storing all of the log-in information for Mismatch (user ID and 
username), so deleting them results in a complete log-out. 

Why are the cookies set to an hour in the past in order to be deleted? Is there 
something significant about an hour? 

No. A cookie is automatically deleted by the web browser once its expiration date/time passes. 
So deleting a cookie involves setting the expiration to any time in the past. An hour (3600 seconds) 
is just an arbitrary amount of time chosen to consistently indicate that we're deleting a cookie. 


Sidney is pleased 
s\\t cav\ I 05 
ou*t kr\o>w 七 ha 七 

pvof ilc 乙 W 七 be 
edited by a^yor^c 
ile she’s 
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storing user data on the server, instead of the client 


USCV" JdSOh) loVCV" of 

Wiki%, body ficv-dmjs, ay\d ttov/avd 
Stem, has Cookies disabled *m W»s 
broy/sev", y/MA f\rcscn*ts 3 fv-oblcrw 

-fov m. 

、一 Q 


TKc 

1。3 - h s*t 3 V"ts 
Kcv-c. 


Uh-oh. I have cookies 
disabled in my browser, 
and I can’t log in. What 
am I supposed to do? 


Smdc dookics avc disabled, *t^c 

sc^ds usev badk -to W 
ry^e wAV^ou*t lo^cd 





P ' 

I The bvowsev" 


Client web 
browser 


V 1 hc b\rov/se\r \re\e^is -the 
^ ^okies, pvcvchtihg ihe Log- 
i 办 中七 ^ set-tihg them. 


The sewev a 七 Wfb 
{jo sc*t *t^c usev IP 

SY\d uscvy\awc dookics 

on *tV^c WoY/scv. 


Who cares about 
Jason? Don’t most people 
have cookies enabled? 


Yes, but web applications should be as accessible to 
as many people as possible. 

Some people just aren’t comfortable using cookies, so they opt for the 
added security of having them disabled. Knowing this, it’s worth trying to 
accommodate users who can’t rely on cookies to log in. But there’s more. 

It turns out that there’s another option that uses the server to store 
log-in data, as opposed to the client. And since our scripts are already 
running on the server, it only makes sense to store log-in data there as well. 
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building personalized web apps 


Sessions aren't dependent on the client 


Cookies are powerful little guys, but they do have their limitations, such 
as being subject to limitations beyond your control. But what if we didn’t 
have to depend on the browser? What if we could store data directly 
on the server? Sessions do just that, and they allow you to store away 
individual pieces of information just like with cookies, but the data gets 
stored on the server instead of the client. This puts session data outside of 
the browser limitations of cookies. 


Sessions allow you to 
persistently store small 
pieces ol data on tke 
server , inctepenctently 


Web server 



oi tke client. 


丁 he bvowscir does "’ 七 

•fa 匕 "tov* divc^tly 

,h "t° "the s-fcovage of 
s «sioh daia s\uc 
cvcvy-thihg is sio\red 

Oh the SCV-VCV-. 




Client web 
browser 


Sessions store data in session variables, which are logically equivalent 
to cookies on the server. When you place data in a session variable using 
PHP code, it is stored on the server. You can then access the data in the 
session variable from PHP code, and it remains persistent across multiple 
pages (scripts). Like with cookies, you can delete a session variable at any 
time, making it possible to continue to offer a log-out feature with session- 
based code. 


Since session data is 
stored on tke server, 
it is more secure and 




Surely there’s a catch, right? Sort of. Unlike cookies, sessions don’t 
offer as much control over how long a session variable stores data. 
Session variables are automatically destroyed as soon as 
a session ends, which usually coincides with the user shutting 
down the browser. So even though session variables aren’t stored 
on the browser, they are indirectly affected by the browser since 
they get deleted when a browser session ends. 


more reliable titan 
data stored in cookies. 

A useir mdhually 
scssioh daia usmg theiv 
bvowsc\r ; whidh be a 
piroblcm with Cookies. 

TV^cvc a 於 date associated 

y /邮 session variables because tiicy avc 
auWatu^ally deleted 絀⑼ a session ⑼ ds. 
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the session_start() and session_destroy() functions 


The life and times of sessions 


Sessions are called sessions for a reason — they have a very clear start 
and finish. Data associated with a session lives and dies according to the 
lifespan of the session, which you control through PHP code. The only 
situation where you don’t have control of the session life cycle is when the 
user closes the browser, which results in a session ending, whether you like 
it or not. 

You must tell a session when you’re ready to start it up by calling the 
session start () PHP function. 


Tke PHP session^startO 

function starts a session 
and allows you to tegin 
storing data in session 
variatles* 


session start(); 



TVi'is PttP 

stav-b a session. 




Galling the session—start () function doesn’t set any data — its job 
is to get the session up and running. The session is identified internally 
by a unique session identifier, which you typically don’t have to concern 
yourself with. This ID is used by the web browser to associate a session 
with multiple pages. 


Web server 


Tiiis is u^i<\uc 
session IP> 
is 乙 ally 

^cr\cva*tcd as pav 七 

Jc a Y\t>N session- 


di session is 

siaritd, a session ID 

is set that Uhi^ucly 
idchti-Pics the session 


Client web 
browser 

Tiic session IP is used 
beKmd sdc^cs bo allov/ 
mu Itiplc pays *to sKav-c 
addess *to session data. 


viewprofile.php 

editorofiio 


The session ID isn’t destroyed until the session is closed, which 
happens either when the browser is closed or when you call the 
session destroy () function. 


Tke session^destroyO 
function closes a session. 


This PHP 

session_destroy () ; e^ds a session. 

If you close a session yourself with this function, it doesn’t 
automatically destroy any session variables you’ve stored. Let’s take 
a closer look at how sessions store data to uncover why this is so. 
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Keeping up with session data 


The cool thing about sessions is that they’re very similar to cookies in 
terms of how you use them. Once you’ve started a session with a call to 
session—start (), you can begin setting session variables, such as 
Mismatch log-in data, with the $ SESSION superglobal. 


$_SESSION['username 1 

The o( the session , 
V 3 v*i 3 blc is used 3 s cIk> ihdex iivto 

the f__£B££lOhl supe\r^lobdl. 


sidneyk '^ 

TV^c value bo be s*to\rcd 
is jus 七 assigned *to 七 he 
f SESSION sufcv-^lobal- 


echo('<p class="login">You are logged in as ' . ^ 

Unlike cookies, session variables don’t require any kind of special function 
to set them — you just assign a value to the $_SESSION superglobal, 
making sure to use the session variable name as the array index. 

What about deleting session variables? Destroying a session via 
session_destroy () doesn’t actually destroy session variables, so 
you must manually delete your session variables if you want them to be 
killed prior to the user shutting down the browser (log-outs!). A quick 
and effective way to destroy all of the variables for a session is to set the 
$_SESSION superglobal to an empty array. 


$ SESSION = array() 


This dodc kills dll o-f -the session 
variables m -the duv-v-cht scssioh. 


But we’re not quite done. Sessions can actually use cookies behind the 
scenes. If the browser allows cookies, a session may possibly set a cookie 
that temporarily stores the session ID. So to fully close a session via PHP 
code, you must also delete any cookie that might have been automatically 
created to store the session ID on the browser. Like any other cookie, you 
destroy this cookie by setting its expiration to some time in the past. All 
you need to know is the name of the cookie, which can be found using the 
session name () function. 




if (isset($_COOKIE[session— name()])) { 

setcookie(session name(), time() - 3600) 




The scssioh v^Hdble 

,s ahd 

s "tov-cd oh -fchc 


scv-vcv-. 



SESSION['username'] . '.</p>') 


autss^ -the session vaHdble, just 
use "the f __superglobal 
ahd -the scssioh Vd\ridble hdme. 


Session variables 
are not automatically 
cteleted wken a 
session is destroyed. 


a scss\ov\ \aS\y\^ 3 
dookic bo V^clf v-cmcmbcv 

从 C scss»ov^ IP, 

|P is sbortA a 
earned afW 如 cm 


Fi\rs ■(: "to see 

a session Cookie 
actually cxis-fcs. 


f Pcs*tvoy session dookic 
^ — by *rb c%p*ivatioir> 

*bo by\ i^ouv \y\ *tKc past 
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how mismatch works with sessions 


S*tav*t V^cv-c! 



叫釋 inipa 


Whsu qfifhoc-iii i atlrirt; 


j 

L'£ 



Renovate Mismatch with sessions 

Reworking the Mismatch application to use a session to store log-in data 
isn’t as dramatic as it may sound. In fact, the flow of the application 
remains generally the same — you just have to take care of a little extra 
bookkeeping involved in starting the session, destroying the 
session, and then cleaning up after the session. 


. 

session__start {) } 

Tiic session—s*ba\rtO 
yts s*t 3 \rtcd by 

d session- 

Cookies a\rc Cabled, the 
scirvcv Crcaics one io hold 
"the session IP — otherwise 
the ID is passed thv-ough 
the URL Jc eddh pa^e. 


Ty/o session 
variables avc 
tv-ca*bcd *to s*tovc 
七 he usev- IP ar\d 

USCV" 灼 -fov *bV)C 
I 03 - ’m. 


session 一 destroy 。； 



TiiC sessiem 一 des*broY() 

ends i\\t session, 

used m ar\o*t^cv 


l-f 3 Cookie wds used 
■feo hold -the session 

ID, ii is dcsi\roycd. 


丁 he session variables 
3 V"c des-fcv-oyed by 
dcav-ihg out the 

f 一 SESS| 0 " 3 \r\r 3 y. 



Lo0—ih dd'td is how 
\rcrwcrhbc\rcd usih^ a session 
ihstc^d o-p Cookies. 
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Log out with sessions 


Logging a user out of Mismatch requires a little more work with sessions 
than the previous version with its pure usage of cookies. These steps must 
be taken to successfully log a user out of Mismatch using sessions. 


o Delete the session variables. 

0 % Check to see if a session cookie 
切 exists, and if so, delete it. 

❺ Destroy the session. 

o Redirect the user to the home page. 



You (W 七 kr\oy/ (or Uri^\v\ 
•»<f d session Cookie is 
used v/'rt^ou*t 

so *tKis is s bohus 

that ish'-t st\rid：|y 

■to log -the usc\r oui but is 

Mp*Pul hohcthclcss. 


The Log-Out script for Mismatch is undergoing an overhaul to use sessions 
instead of pure cookies for log-in persistence. Write the missing code to 
"sessionize”the Log-Out script, and then annotate which step of the log-out 
process it corresponds to. 

<?php 

//If the user is logged in, delete the session vars to log them out 
session 一 start(); 

if ( ) { 

// Delete the session vars by clearing the $_SESSION array 


^^rp 6 n your pencil 


// Delete the session cookie by setting its expiration to an hour ago (3600) 
if (isset ($ COOKIE[session name()])) { 


// Destroy the session 


// Redirect to the home page 

$home_url = 'http://' . $_SERVER['HTTP_HOST'] . dirname($_SERVER['PHP_SELF']) . '/index.php'; 
header('Location : ' . $home url); 

?> 
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the "sessionized" Jogout.php 

- Sharpen ywr pencil 

7 hkm 


The Log-Out script for Mismatch is undergoing an overhaul to use sessions 
instead of pure cookies for log-in persistence. Write the missing code to 
'sessionize^the Log-Out script, and then annotate which step of the log-out 
process it corresponds to. 


Delete the session variables. 

© Chc^k *to sec i-f 3 session Cookie c^is*ts, i-f so, 

delete it 

Dcsbroy session. 

Rcdi\rc^*t usc\r *to home paje- 

它 ve 灼 lo^mj ou ^ Y ou 

{p stav-t session *m ov-dev- 

<?php / io 9Ucss ihc session variables. 

//If the/aser is logged in, delete the session vars to log them out 
session start () ; /^o\w a session variable is used to dhedk 

if ( issciff SESSlONruscr id^) ) { lo 3 - m 如七沾 i^cad a Cookie. 

// Delete the session vars by clearing the $_SESSION array 

j SESSION =1 a^ayO; ^ - . To dea, out tKe sess.o, va^ables, ass.5, tKe 

. 7 …… (T) /_SKS|0K 〒咖 l>al a 竹 a 叫 . 

// Delete the session cookie by setting its expiration to an hour ago (3 600) 
if (isset($—COOKIE[session—name ()])) { 

sctdookicfscssio^^amcO, -timcO - 3 厶 00); 

} 夕 s «sioh dookic exists, delete \i by 

scUmg its cxpiiralioh b> houv- a<\o. 

II Destroy the session J 

scssioir\__dcs*t\roy ()； 、 Vcsbroy session v/'rth 

} (^J a tall *to *tKc 

sessiof)^_desWoy() -fur>d*tioy>. 

// Redirect to the home page 

$home_url = 'http://' . $_SERVER['HTTP_HOST'] . dirname($_SERVER['PHP_SELF']) . '/index.php 
header('Location : ' . $home_url); /^T\ 

?> 
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The move from cookies to sessions impacts more than just the Log-Out 
script. Match the other pieces of the Mismatch application with how 
they need to change to accommodate sessions. 


0 

appvars.php 


connectvars.php 




editprofile.php 


No change since the script has no direct dependence on 
log-in persistence. 

Sessions are required to remember who the user is. Gall 
the session_start () function to start the session, 
and then change $— COOKIE references to $— SESSION. 

Sessions are required to control the navigation menu. 
Gall the session—start () function to start the 
session, and then change $_COOKIE references to 
$ SESSION. 
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how do i change solution 






■ 


W t 免 M 象 M 备*，- 

The move from cookies to sessions impacts more than just the Log-Out 
script. Match the other pieces of the Mismatch application with how 
they need to change to accommodate sessions. 



No change since the script has no direct dependence on 
log-in persistence. 


Sessions are required to remember who the user is. Gall 
y — the session_start () function to start the session, 

! and then change $_COOKIE references to $_SESSION. 

Sessions are required to control the navigation menu. 
Gall the session—start () function to start the 
session, and then change $_COOKIE references to 
$ SESSION. 


editprofile.php 
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BULLET POINTS - 

■ HTTP authentication is handy for restricting access to 
individual pages, but it doesn’t offer a good way to log 
out” a user when they’re finished accessing a page. 

■ Cookies let you store small pieces of data on the client 
(web browser), such as the log-in data for a user. 

■ All cookies have an expiration date, which can be far 
into the future or as near as the end of the browser 
session. 


To delete a cookie, you just set its expiration to a time in 
the past. 

Sessions offer similar storage as cookies but are stored 
on the server and, therefore, aren’t subject to the same 
browser limitations, such as cookies being disabled. 

Session variables have a limited lifespan and are always 
destroyed once a session is over (for example, when the 
browser is closed). 



The session 一 start () 
function gets called in a lot of different 
places, even after a session has been 
started. Are multiple sessions being 
created with each call to session— 
start () ? 

No. The session—start () 

function doesn't just start a new session—it 
also taps into an existing session. So when 
a script calls session—start (), 
the function first checks to see if a session 
already exists by looking for the presence 
of a session ID. If no session exists, it 
generates a new session ID and creates the 
new session. Future calls to session— 
start () from within the same application 
will recognize the existing session and use it 
instead of creating another one. 

So how does the session ID 
get stored? Is that where sessions 
sometimes use cookies? 

Yes. Even though session data gets 
stored on the server and, therefore, gains 
the benefit of being more secure and outside 
of the browser’s control, there still has to be 
a mechanism for a script to know about the 
session data. 


This is what the session ID is for—it uniquely 
identifies a session and the data associated 
with it. This ID must somehow persist on the 
client in order for multiple pages to be part of 
the same session. One way this session ID 
persistence is carried out is through a cookie, 
meaning that the ID is stored in a cookie, 
which is then used to associate a script with 
a given session. 

If sessions are dependent on 
cookies anyway, then what’s the big deal 
about using them instead of cookies? 

Sessions are not entirely dependent 
on cookies. It's important to understand 
that cookies serve as an optimization for 
preserving the session ID across multiple 
scripts, not as a necessity. If cookies are 
disabled, the session ID gets passed from 
script to script through a URL, similar to how 
you’ve seen data passed in a GET request. 
So sessions can work perfectly fine without 
cookies. The specifics of how sessions 
react in response to cookies being disabled 
are controlled in the php.ini configuration 
file on the web server via the session. 
use_cookies,session.use_ 
only_cookies, and session. 
use trans sid settings. 


It still seems strange that sessions 
could use cookies when the whole point 
is that sessions are supposed to be 
better than cookies. What gives? 

While sessions do offer some clear 
benefits over cookies in certain scenarios, 
they don’t necessarily have an either/or 
relationship with cookies. Sessions certainly 
have the benefit of being stored on the 
server instead of the client, which makes 
them more secure and dependable. So if you 
ever need to store sensitive data persistently, 
then a session variable would provide more 
security than a cookie. Sessions are also 
capable of storing larger amounts of data 
than cookies. So there are clear advantages 
to using sessions regardless of whether 
cookies are available. 

For the purposes of Mismatch, sessions offer 
a convenient server-side solution for storing 
log-in data. For users who have cookies 
enabled, sessions provide improved security 
and reliability while still using cookies as an 
optimization. And in the case of users who 
don't have cookies enabled, sessions can 
still work by passing the session ID through 
a URL, foregoing cookies altogether. 
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migrating from cookies to sessions 


Complete the session trawsformatiow 

Even though the different parts of Mismatch affected by sessions use 
them to accomplish different things, the scripts ultimately require similar 
changes in making the migration from cookies to sessions. For one, they 
all must call the session—start () function to get rolling with 
sessions initially. Beyond that, all of the changes involve moving from 
the $_COOKIE superglobal to the $_SESSION superglobal, which is 
responsible for storing session variables. 



AH o-p "the session—powered 
shifts siari out with a ta\\ 
■to scssioh__s-tav-tO -to gc-t 
七 he scssioh up dhd 


// If the vi 


/ / 丄上 LI1C - -- — 

if ( ! issetC$ SESSION ['user_id'7)' ) 

if (isset (P— 匕 ubi. L ■ suuiu 丄 u- j ; ) { 

// Connect to the database 
$dbc = mysqli—connect(DB—HOST 


orrrfP'ii in, try to log them in 
{ 


DB USER, DB—PASSWORD, DB—NAME); 


// Grab the user-entered log-in data . DnQT r.n^Prname'1 ))； 

$user username = mysqli_real_escape_stnng ($ c, rim - 'password']) )； 

$user： P assword = mysqli_real_esca P e_string($dbc, tr 1 m($_POST[ password 川， 

if (!empty($user_username) && !empty($user_password)) { 

// Look up the username and password in the database 

$q U ery = "SELECT user—id, username FROM mismatch—user WHERE username ^ 
"password = SHA( 1 $user_password ! ); 

$data = mysqli_query($dbc, $query); 


$user username' 


AND 


io™n r xs S OK d so a sertii user ID and username session vars, and red.rect to the horae page 

-ow = mvsqli fetch array($data); 

SESSION [ ' user_id_^= $row [ ’ user—id'] 

SESbiuiN L ' Ube-Liicuuc $ row ['username ], . qvrvfr r ' PHP SELF' 1 ) . ' / index, php'; 

- —< $ SERVER ['HTTP—HOST’] . dirname ($—SERVER L P 此 —but」）., ^ 

.$home url); 


3 row 

"SE^ _ 

SESblUM L ' 

^jriUlLLt ： Lli 丄 一 11 ^ - 

header('Location: 

} 

p 1 S G { 

//The username/password are incorrect so set an error message . 

$erro r _ ： s~orry, you must enter a valxd usernarae and password to log xn. 

} 


The Loj-|h script uses sessions {o 



-the usc\r ID a^d usev^hame 
4\r log-ih ytrsisicut, av\d \i does 
so by \rdym 3 oh "the f__SBS£lOhl 
supc\rglobal i^sicad JTf C00k ： IB. 
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II Generate 


echo 

’ &#liiu oq ; 

<a 

nret= 

echo 

'&#10084; 

<a 

href= 

echo 

'&#10084; 

<a 

href= 

else { 

echo 

'&#10084; 

<a 

href= 

echo 

} 

'&#10084; 

<a 

href= 


{ 

- va.^wjyrofile .php n >View Profile</a><br /> 


JT- 一上丄丄 G • pup /£jU 丄 T ： Kr r>~h ~j i — 〆 / — 、 , 

'logout.php">Log Out (' .Q_SESSION [' username 7 ? 


')</a>' 


"login.php">Log In</a><br / >' 
'signup,php">Sign Up</a >'； 


// Loop through the array of user f w 

echo '<h4>Latest members:</h4>'• formatting it as HTML 

echo '<table >'； 

while ($row = mysqli_fetch_array($data)) { 


TV>C home uses 

-the f__£E£S|0N supcv^lobal 
*ms*tcad o( *to adtess 

lo^-'m dd*kd v/hile 
*tV>c dy>d dKoosm^ v/Kc*t^cv- 
OV y>o*t *to fv-ovide a \\rk *fco 七 he 
W |a*tcs*t mcmbcvs w fVO-P*llcs. 


if (isse^($_SESSION[ T user 彳 H 丨 、、 { 

eC $o ~~-^ie.php?user id=' 

} $row [ fl rst—name'] • '</a></td></tr>'7 

else { 

} echo '<td>' . $row['first_name'] . '</td></tr >'； 

} 

echo f </table > ! ； 


$row[ f user id f ] 


’> 


Similar -to -the 

ahd ho 州 e 

pages, the Edit 
fWi,le s^Hpt hG w 
us « f—SESS ⑽ 
ciUcss Io 0 -i h 

々 ia ihs-tcad of 
f—C 蚁 /£ 




AI*tV^ou^ Y\oi Aovm, 

七 \^ \/icv/ Pvo^ilc 

uses sessions 

'nr\ mu£>Vt *tViC s3w\C 

v/dy as td»*t Prof ile. 



// Make — ^hP n.^r is logged in before going any further. 

— 扣卿肋 — /P>，； 

exit(); 

} 

else { 


L echoC<P class=»login»>You are logged in as ' . (T_SESSION ['username 

▼ • <a href= ,f logout.php n >Log out</a>.</p > ! )； 、 - - 


lf (!empty($firS t— 細 e) “ !e m pty( $ last_na m e) && !empty( $ gender) && !empty( $ birthdate) && 

!empty($city) && !empty($state)) { . . 

// Only set the picture column if there is a new picture 

1 ^querf = ( "UPDK?E C mismitch_user SET first_name = ㊀ 

"gender = ， $gender，，birthdate = ' $birthdate - 

"picture = ， $new—picture 1 WHERE user—id = C $ SESSIONL user— 

el $quiry = "UPDATE mismatch user SET first—name = '$first_name', last_name 
$q "gender = '$gender', - , 1 ^ rthdate' , exty = '$cxty', state 

n WHERE user_id = ’ n .^^SESSION [ 1 use 

mysqli—query($dbc ， $query); 


>1 r-engaue 
r_id/^ • 


1 $last 一 name 
$state ! f n . 


1 $last 一 name 
$state ? n - 




editprofile.php 


viewprofile.php 
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fireside chat between cookie and session variable 


Fireside Chats 



Cookie: 


Tonight’s talk： Cookie and session variable get down and 
dirly about who has the best memory 



Session variable: 


There’s been a lot of talk around here among us 
cookies about what exactly goes on over there on 
the server. Rumor is you’re trying to move in on our 
territory and steal data storage jobs. What gives? 

Gome on now，steal is a strong word. The truth is 
sometimes it just makes more sense to store data on 
the server. 

That doesn’t make any sense to me. The browser is 
a perfectly good place to store data, and I’m just the 
guy to do it. 

What about when the user disables you? 

Uh, well, that’s a completely different issue. And 
if the user decides to disable me, then clearly they 
don’t have any need to store data. 


Not true. The user often doesn’t even know a web 
application is storing data because in many cases, 
it is behind-the-scenes data, like a username. So if 
you’re not available, they’re left with nothing. 

So I suppose your answer is to store the data on the 
server? How convenient. 


Alright, Einstein. Since you seem to have it all 
figured out, why is it that you still sometimes use me 
to store your precious little ID on the browser? 


Exactly. And the cool thing is that the user doesn’t 
have the ability to disable anything on the server, so 
you don’t have to worry about whether or not the 
data is really able to be stored. 


Er, well, most people really don’t know about that, so 
there’s no need to get into it here. We can talk about 
that off the record. The important thing is that I’m 
always around, ready to store data on the server. 
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Cookie: Session variable: 

Gome on, tell me how much you need me! 

Alright, I will admit that from time to time I do lean 
on you a little to help me keep up with things across 
multiple pages. But I can get by without you if I 
need to. 

Oh I know you can, but the truth is you’d rather not. 

And maybe deep down you really kinda like me. 

Look, I don’t have any problem with you. I just wish 
you were a little more secure. And you have that size 
limitation. You know, not every piece of persistent 
data is bite-sized. 

Ah, so you’re going to resort to picking on the little 
guy. Sure, I may not be able to store quite as much 
as you, and I’ll admit that living on the client makes 
me a little less secure. But it sure is more exciting! 

And I have something you can only dream about. 

Is that so? Do tell. 

Well, all that storage space and security you’re 
so proud of comes at a cost... a short lifespan! I 
didn’t want to be the one to have to tell you, but 
your entire existence is hinging on a single browser 
session. I think that’s how you got your name. 

You mean you can go on living beyond a single 
session? How is that possible?! 

It’s simple. I don’t die with a session, I just expire. 

So I can be set to live a long, full life, far beyond the 
whim of some click-happy web surfer who thinks 
it’s cute to open and close the browser every chance 
he gets. 

Wow. What a feeling that must be to experience 
immortality. My only hope is that some slacker 
scripter accidentally forgets to destroy me when he 
closes a session... but the browser will still do me in 
whenever it gets shut down. 

Problem is, those same scripters often set my 
expiration to such a short period that I don’t really 
get to experience the long life I truly deserve. I 
mean, I... 

Hello? Are you there? Geez, expiration is harsh. 
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test drive the "sessionized" mismatch 




Tesr DriVq 


Change Mismatch to use sessions instead of cookies. 

Modify the Mismatch scripts so that they use sessions instead of cookies to support 
log-in persistence (or download the scripts from the Head First Labs site at www. 
headfirst labs • com/boo ks/hfphp). The session modifications involve changes to the 
index.php, login.php, logout.php, editprofile.php, and viewprofile.php 
scripts, and primarily involve starting the session with a call to the session_start () 
function and changing $_COOKIE superglobal references to use $—SESSION instead. 

Upload the scripts to your web server, and then open the main Mismatch page (index . php) in 
a web browser. Try logging in and out to make sure everything works the same as before. Unless 
you had cookies disabled earlier, you shouldn’t notice any difference — that’s a good thing! 




MiiJiyfidl* Hilitli onbAMM uujueI 


"TK^hks sessions ； uscV"S 
with dookics disabled 
s*till lo^ ih dddess 
ikilr pc\rsohal pv»o*fi|«. 
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Watck it! 


Sessions without cookies may not work if your 
PHP settings in php. ini aren’t configured 
properly on the server. 


In order for sessions to work with cookies disabled, there 
needs to be another mechanism for passing the session 
ID among different pages. This mechanism involves appending the 
session ID to the URL of each page, which takes place automatically if 
the session. use_trans_id setting is set to 1 (true) in the php. ini 
file on the server. If you don’t have the ability to alter this file on your 
web server, you’ll have to manually append the session ID to the URL of 
session pages if cookies are disabled with code like this: 

<a href= M viewprofile.php?<?php echo SID; ?> M >view your profile</a> 


The S|p Sufev^lobal Isolds session 

ID, \n\\\CM is passed alo% 
*bV>VOU^il URL- SO 七 ha 七七 he 
Pvo-filc fay kir>o>ws dbou 七 session- 
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why the automatic logout? 




Users aren't feeling welcome 


Despite serving as a nice little improvement over cookies, something 
about the new session-powered Mismatch application isn’t quite right. 
Several users have reported getting logged out of the application despite 
never clicking the “Log Out” link. The application doesn’t exactly feel 
personal anymore... this is a big problem. 


the u Log lihk. 


usev-s av-c rtcvcv 
d ^ood 汐 


Hey, we were logged in last time 
we checked, and suddenly were all 
logged out! What gives? 


TWis isv / 乇 七 “ 
message 

■bo send *i*ts users. 
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What do you think is causing users to be 
automatically logged out of Mismatch? Is 
it something they’ve done inadvertently? 
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the lifespan of cookies and sessions 


Sessions are short-lived... 

The problem with the automatic log-outs in Mismatch has to do with 
the limited lifespan of sessions. If you recall, sessions only last as long as 
the current browser instance, meaning that all session variables are killed 
when the user closes the browser application. In other words, closing the 
browser results in a user being logged out whether they like it or not. This 
is not only inconvenient, but it’s also a bit confusing because we already 
have a log-out feature. Users assume they aren’t logged out unless they’ve 
clicked the Log Out link. 

^°99 ,h 9 sessions 

results ih the dvcatioh 
two session vaHables. 


scssiohs ov Cookies 
: sed, logg'mg ih is what scis ^ 
七 he wheels i h ^otioh. 


■ i ■…这 ■ ― 1 " 111 ■ 



"I B I user id = II 




Out *tKc session 
variables art 
dtsbeo^td) usev* is 

lo^ed - 
*t^cY I»kc »*t or ho 七 ! 


The session variables 
a\rc des-tv-oyed alo^ 
v/ith -the session when 
"the b\rowscv* is dosed. 


The usev- closes the 
b\rowsc\r but may hot 
代 aliic tha-fe they just 
logged themselves out. 



Even though you can destroy a session when you’re finished with it, you 
can’t prolong it beyond a browser instance. So sessions are more of a short¬ 
term storage solution than cookies, since cookies have an expiration date 
that can be set hours, days, months, or even years into the future. Does 
that mean sessions are inferior to cookies? No, not at all. But it does mean 
that sessions present a problem if you’re trying to remember information 
beyond a single browser instance... such as log-in data! 


Session variables are 
ctestroyed wken tke 
user ends a session ty 
closing tke browser. 
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^ookies are destroyect 
wken tkey expire, giving 
tkem a longer liiespan 
tkan session variables. 


t •• 


but cookies caw last forever! 


Unlike session variables, the lifespan of a cookie isn’t tied to a browser 
instance, so cookies can live on and on, at least until their expiration date 
arrives. Problem is, users have the ability to destroy all of the cookies 
stored on their machine with a simple browser setting, so don’t get too 
infatuated with the permanence of cookies — they’re still ultimately only 
intended to store temporary data. 



[ user 

id = i 1 


I time () h 

卜 2 hours I 

mr 

I username : 

=sidneyk 1 


time () + 

2 hours 



Sirwiloiv -(jo sessions, 
Cookies av-c 
at log—ih. 


Cookies a\rc OY\Vf 
AtsbroStA 



10 
■9 
■ 8 


II 


l 




■ 


■ I 


TVic o-f a Cookie 

•is dc*tcvw\'mcd by »*ts 
date/ 


r 
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using cookies and sessions in tandem 


So would it make sense to use both 
sessions and cookies, where cookies 
help keep users logged in for longer 
periods of time? It would work for 
users who have cookies enabled. 


As as youVc dealm” 舳 s C ^.t.v C 

data, m dasc, weak setu^ty ok Cookies 

would av-^uc -for usm^ sessions by themselves. 

Yes, it’s not wrong to take advantage of the 
unique assets of both sessions and cookies 
to make Mismatch log-ins more flexible. 

In fact, it can be downright handy. Sessions are better suited 
for short-term persistence since they share wider support 
and aren’t limited by the browser, while cookies allow you to 
remember log-in data for a longer period of time. Sure, not 
everyone will be able to benefit from the cookie improvement, 
but enough people will that it matters. Any time you can 



improve the user experience of a significant portion of your 
user base without detracting from others, it’s a win. 
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Sessions ^ Cookies - Superior log-in persistence 


For the ultimate in log-in persistence, you have to get more creative and combine all of 
what you’ve learned in this chapter to take advantage of the benefits of both sessions 
and cookies. In doing so, you can restructure the Mismatch application so that it excels 
at both short-term and long-term user log-in persistence. 


Weh a uw — ih, both 
session variables ahd 


Start 




The tiw'C *bV)C usev- 

o^tY\S dookiCS 

used *to *tV^c 

session v3V"i3blcs...voil3| 


r ookies sei io s^ c 

the usc\r ID sv\d us 饮 hdme 


Closing the b\roy/sc\r 
\rcsults ih the session 
vav-iablcs bc'mg destroyed, 
bui hot the Cookies. 





The usev- 

匕 loses the 

v/cb b\rowscv- ; 
killing the 
session ih 
the p\rodcss. 



TV^c e 中 aW《 oV_ 

took\cs \ssti 
ioZO days aHcr 
i\yt '°^ m * 


10 


11 


¥ '■ ■ 

A 


\ 


* m i\\t took'ics is used t 
v-csc*t *t^c session variables 


J 



6 


Ar 


z 


Rathcv- thah keepih^ i 

logged ih -Po\rcvc\r, the 



USCV-S 
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no dumb questions on cookies and sessions 



Dumb Quest! 


9ns 


So is short-term vs. long-term persistence the reason to choose 
between sessions and cookies? 

No. This happened to be the strategy that helped guide the design of the 
Mismatch application, but every application is different, and there are other 
aspects of sessions and cookies that often must be weighed. For example, the 
data stored in a session is more secure than the data stored in a cookie. So 
even if cookies are enabled and a cookie is being used solely to keep track of 
the session ID, the actual data stored in the session is more secure than if it was 
being stored directly in a cookie. The reason is because session data is stored on 
the server, making it very difficult for unprivileged users to access it. So if you’re 
dealing with data that must be secure, sessions get the nod over cookies. 

What about the size of data? Does that play a role? 

Yes. The size of the data matters as well. Sessions are capable of storing 
larger pieces of data than cookies, so that’s another reason to lean toward 
sessions if you have the need to store data beyond a few simple text strings. Of 
course, a MySQL database is even better for storing large pieces of data, so make 
sure you don’t get carried away even when working with sessions. 

So why would I choose a session or cookie over a MySQL database? 

Convenience. It takes much more effort to store data in a database, and 
don't forget that databases are ideally suited for holding permanent data. Log-in 
data really isn't all that permanent in the grand scheme of things. That’s where 
cookies and sessions enter the picture—they're better for data that you need to 
remember for a little while and then throw away. 
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PHP Magnets 


The Mismatch application has been redesigned to 
use both sessions and cookies for the ultimate in user 
log-in persistence. Problem is, some of the code is 
missing. Use the session and cookie magnets to add back the missing code. 


1 

1 

1 

1 $—COOKIE 1 

_1 1 - 

；COOKIE | 


» • • 

if (mvsqli num rows($data) == 1) { . , n • 一。、 

//The log-inls OK so set the user ID and username session vars (and cookies), 

/ / and redirect to the home page 
$ row = mysqli fetch — array ($ da.t 3.) } 

[ 1 user id 1 ] = $row[ 1 user_id ， ]; 

[ 1 username，] = $row['username，]; 

setcookie ('user id' , $row[ 'user id' ] , time () + (6Q * 60 * 24 * 30) ) ; // expires m 3 ° d ^ s 
setcooKie ( ^ v L + * 60 * 24 * 30)); / / expires in 30 days 

setcookie('username 1 , $row[ username ], < R r , pHp SELF «i) '/index.php'; 

$home url = 'http://' . $_SERVER[ ， HTTP—HOST'] . dirname($_SERVER[ PHP_SE j) . p 

header('Location : ' . $home_url); 


:丄丄 p 

//if the user is logged, in, delete the session vars to log them out 
session—start(); 

if (isset ( [* user id*])) { 

// Delete the session vars by clearing the $ SESSION array 

=array(); 

// Delete the session cookie by setting its expiration to an hour ago (3600) 
if (isset ( [session 一 name()])) { 

setcookie(session—name(), ，，， time() -3600); 


// Destroy the session 
session—destroy(); 




login.php 



logoTitphp 


// Delete the user ID and username cookies by setting their expirations to an hour ago (3600) 


setcookie ( ， user—id 1 , ", time () - 3600); 
setcookie( 1 username 1 time() -3600); 


<?php 

session 一 start(); 

,, 0 _4_ i--r \7 1-n spt them with a cookie 

// if the session vars aren't set, try to sex: 

'user_id'])) { 

['user id']) && isset ( . 

['user_id']; 

= ['username']; 


if (!isset ( 
if (isset ( 


['user_id'] 
r'username' 


['username'])) { 


$SESSION I 




indexlphp 
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PHP Magnets 

Solution 


The Mismatch application has been redesigned to use both sessions 
and cookies for the ultimate in user log-in persistence. Problem is, 
some of the code is missing. Use the session and cookie magnets to 
add back the missing code. 


► • • 

if (mysqli num rows($data) == 1) { , . , 

//The log-inls OK so set the user ID and username session vars (and cookies), 

// and redirect to the home page 
$ row = mysqli fetch — array ($da.ta .), 


$ SESSION 


$ SESSION 


’user id. 1 ] = $ row [ 1 user — id 1 ]; 

1 username，] = $row['username']; 


The hew Cookies av-c 
set \v\ dddrbioh ^to 
the session variables. 


setcookie(-user id« , $row [ «user_id« ] , time() + (60-60^24-30)); /〈 expires in 3^ d=s 

setcookie ('username' , $row [ 1 username ' ] , time () + (6。* 6 。 * 24 * 3。）），// expires in Y # 

$hOTie url = 'http:// 1 . $_SERVER['HTTP_HOST'] . dirname($_SERVER[ ， PHP—SELF ]) . /index.p p , 

header( ， Location: ' . $home_url); 


<?php 

//If the user is logged in, delete the 
session—start(); 


session vars to log them out 



if (isset( 


$ SESSION 


[▼user id f ] ) ) { 


// Delete the session vars by clearing the $ SESSION array 

=array(); 


$ SESSION 


login.php 


// Delete the session cookie by setting its expiration to an hour 

[session name()])) { 


if (isset ( 


$ COOKIE 


setcookie(session—name(), time() -3600); 


// Destroy the session 
session_destroy(); 


ago (3600) 


y\ov/ 


ou*t 

v-c<\u'iv-cs deletes ko*t^ 
session tookic 
七 lo^—tookics. 


|。土 


// Delete the user ID and username cookies by settingjtheir expirations to an hour ago (3600) 
setcookie ( , user_id , , time () - 3600); 
setcookie ('username ', ' \ time () - 3600) ; 
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\( ihc usev is / 七 lo^ed ir> 
via ihc session, dhcdk -to 

set try to set them with a cookie set i-P the Cookies 3\rc set 
//If the session vars aren r sex:, 。 j 


<?php 

session start(); 


if ( !isset( I $_S ESSION | 

if (isset ( $ COOKIE 



'user id'] 

['user id']) &&isset( 


['username']) ) { 


$SESSION I 

$_SESSIoiT] 


user id'] 


['username' 


I $_COOKIE I 

=I $ COOKIE 


user id'] 





?> 


[-username ']； \ index.php 

. This same dookic/session todt 

Set the session vaHdbles must also 50 m cd'rtfvo^ilc fhf 

usihg the Cookies. and 
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Tqst DriVq 


Change Mismatch to use both sessions and cookies. 


Modify the Mismatch scripts so that they use both sessions and cookies to support 
log-in persistence (or download the scripts from the Head First Labs site at www. 
headfirst labs • com/boo ks/hfphp. This requires changes to the index . php, 
login . php, logout. php, editprof ile . php, and viewprof ile . php scripts. 


Upload the scripts to your web server, and then open the main Mismatch page (index . 
php) in a web browser. Try logging in and then closing the web browser, which will cause 
the session variables to get destroyed. Re-open the main page and check to see if you’re still 
logged in — cookies make this possible since they persist beyond a given browser session. 



/// 

纖 Li 



Cookies W\i\\ sessions 
adds lo^yv- fcv-sis-tcr^dc *to 

alveady possible by sessions. 



Wsihg Cookies -to help 
sessions bettev* 
doesh i help usevs 
who have Cookies 
disabled... you ^ 
ohly do so 
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Your PHP 备 MySQL Toolbox 

You’ve covered quite a bit of 
new territory in building a user 
management system as part of the 
Mismatch application. Let’s recap some 
of the highlights. 


setcookie() 

TW\s bu»l*b-*m PttP Ui OY\ IS UScd 
-to sc-b a Cookie ov\ 七 he bvov/sev, 

•mdudi% 扣 oftio^al 

a-f*bcv* ^i\\\cM Cookie *»s 
destvoyed. l-f c%fivd*bio^ is 
pvovided ； d-ookic is deleted 
y/hen bvoy/sev- is dosed. 


;—COOKIE 

This buil 七一 i h pfjp supcvjlobal is 
used *to aucss Cookie daia. H 

1 ah 5hd ca^h Cookie is 

sWed as ah e+y i h 心 avvay. 

° a ^ css,h 9 a Cookie value ihvolves 
sp^i+yihj the hamc Cookie 

as 七 he a^ay ihdex. 


session start() 


This built—ih PUP -fuhdtioh stav~*ts 
d hcv/ session o\r \rc-s*tav-*ts a pv-c- 
C^isiihg scssioh. rwusi dal I this 
-fuhdtioh p\rio\r *fco addessih^ 3hy 
sessioh variables. 


SHA(value) 

TWis /i/lyS^L *(WW c^v"Y\>*b a 
^*,C6C te 此 rcsultm^ *m a sbr\^ 

d 千 0 V>c%adc6mal c^acitrs. 

TWis 七 ior> \>\rov*idcs d yrtai 

y/ay "to e 灼 £>v*Y? 七 da*b3 七 V»a 七 Y\ttd^ 
\p y-emdm u^V"Cdo^iz-ablc WrtWm 

七 V>c database. I*t is a o^c-v/ay 

^o>wcvcv-, mea— 如七 

■tKcrc is r>o {: \o^ 


session 一 destroy() 

This bull 七 - m PttP Wti oy\ closes 
d session ； d^d should be ddllcd 

youVe -f mislicdi v/*rth a 

pdvtl^uUv" session- This 
does Y\oi dcs-bvoy session vaviablcs ； 
hoy/cvcv, so rt’s ir»\pov-*tdir\*t *to 
mdhudlly dedh -those up by dlcav-m^ 

out i\\t f SESSION supcv^lobal. 


$— SESSION 

TWis bu*il*t-*m PttP su^^lobal is 
used *bo access session data. I 七 * s 
ay > avvay, dv>d tach session variable 
*,s stored as ar> c^y m *tV>c avraY. 
So a£.fi-cssir>5 "b^C value 0 -(* 3 session 

vdv^idblc involves 七心 

r>amc o^f -tKc variable as tKc a^ay 

•mdc%. 


l mds 
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building personalized web apps 








Several pieces of code from the Mismatch application have been pulled 
out, and we can’t remember what they do. Draw lines connecting each 
piece of code with what it does. 


PH P/MySQL Code 


empty($ COOKIE['user id']) 


setcookie(session name(), '', time() - 3600); 


SHA('$user_password') 


session destroy() 


setcookie('user id', $row['user id']) 


SESSION = array() 


session start() 


isset($ SESSION['user id']) 


Description 


Use a session variable to determine if a user 
is logged in or not. 

Use a cookie to determine if a user is logged 
in or not. 

Destroy a session cookie by setting its 
expiration to an hour in the past. 

Encrypt a user’s password into an 
unrecognizable format. 

Store a user’s unique ID in a cookie. 


Start a new session. 


Close the current session. 


Destroy all session variables. 
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who does what solution 






4 r 二 + 


Several pieces of code from the Mismatch application have been pulled 
out, and we can’t remember what they do. Draw lines connecting each 
piece of code with what it does. 

PH P/MySQL Code Description 



Use a session variable to determine if a user 
is logged in or not. 

Use a cookie to determine if a user is logged 
in or not. 

Destroy a session cookie by setting its 
expiration to an hour in the past. 

Encrypt a user’s password into an 
unrecognizable format. 

Store a user’s unique ID in a cookie. 


Start a new session. 


Close the current session. 


Destroy all session variables. 


416 


Chapter 7 


















7 % eliminate duplfccite code 






參 Sharing is caring 



Handsome and smart! 
Your shared umbrella 
theory is pure genius. 


Ifs really quite simple, darling. By 
sharing one umbrella, we eliminate 
the need for two umbrellas, we 
both still stay dry... and you get to 
latch on to one handsome fella. 


Umbrellas aren’t the only thing that can be shared, in any web 

application you’re bound to run into situations where the same code is duplicated in 
more than one place. Not only is this wasteful, but it leads to maintenance headaches 
since you will inevitably have to make changes, and these changes will have to be 
carried out in multiple places. The solution is to eliminate duplicate code by sharing 
it. In other words, you stick the duplicate code in one place, and then just reference 
that single copy wherever you need it. Eliminating duplicate code results in applications 
that are more efficient, easier to maintain, and ultimately more robust. 


this is a new chapter 









locate the duplicate code 




The Mismatch application has evolved since you last saw it, with improved navigation and a 
more consistent look and feel. But these improvements have come at a cost... duplicate code. 
Just by looking at the pages themselves, see if you can figure out what parts of Mismatch might 
represent a duplicate code problem. Circle and annotate these application parts, and also write 
down anything not visible that you think might also have code duplication issues. 


MiHituEch ^ Where g|i|WHte witrarf 1 - 

Lhfos _ VcetEcafit _ EdAftriik » Luft Outtpea^S 1 


L«iSt 






Ettd 



□xrdre 





tKW Miw—u* 



index.php 
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eliminate duplicate code 






Mbntttfch - Vksv Frvlllv 


Hmek ¥ Vkw &nfi|p » Bdiiitafflc - Lcs Oul 


i"irH DHmt ； Jehus 
].nu niki»j-j ,\cni:s 
rrfDchf ： Maic 
Hint) Oft lt-.' LiS ]-|]^!； 
Lradon: Afbcn.'i.OA 


FSCEILM-L 


W 如 Jd JTXJ like Ld nJ.E vmir p p jiv〆 


°Cqf|}iTi§b 





viewprofile.php 



editprofile.php 
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mismatch's duplicate code 



The Mismatch application has evolved since you last saw it, with improved navigation and a 
more consistent look and feel. But these improvements have come at a cost... duplicate code. 
Just by looking at the pages themselves, see if you can figure out what parts of Mismatch might 
represent a duplicate code problem. Circle and annotate these application parts, and also write 
down anything not visible that you think might also have code duplication issues. 



The t»*blc 

appcav-s oh cvcvy pay ， 
y/rth o^ly detailed 

pay *t*i*tlc 
-fv*ow» *to pay. 


The havigatioh 

is Weirtidl a^v-oss all 
ihiree pages. 






viewprofile.php 


index.php 


Tk pay -footev 七1^七 holds 

-fov- i\\t apfli^atio\r\ is -tiiC 
same cvcvy>wiic\rc. 




〆 






AH o( the pages thoi-t v-dy oy\ a usev~ 
log - ih \rc<\ui\rc "the s3^e session 
stairt-up olhd log-ih ^odc- 


editprofile.php 


✓ 


/ 


✓ 


/ 










420 Chapter 7 % 















































eliminate duplicate code 


Mismatch is m pieces 


So the Mismatch application has some common elements that are 
duplicated in the main script files at the moment. Why is this a big deal? 
Because it makes the application difficult to maintain. What happens if 
you decide to add a new page that requires a new menu item? You have to 
go through and change the menu code in every script file to show the new 
menu item. The same thing applies to the copyright notice. 

The solution to the problem is to only store any given piece of information 
once. Then if that code ever needs to change, you only change it in one 
place. With that in mind, it’s possible to rethink the organization of 
Mismatch in terms of reusable script components. 



the page header 



header.php 


The header • php script 
contains the title of the page, 
which references a variable 
to present a different title on 
each page. The header also 
includes standard HTML 
boilerplate code and takes 
care of chores such as linking 
in the CSS style sheet. 


The navigation menu 





navmenu.php 


The navmenu . php script 
generates a navigation menu 
for the application based on 
whether the user is logged in 
or not. The navigation menu 
presents “Log In’’ or “Log 
Out” links as needed. 


the page footer 



This docsh^t V-csult 

visible HT/WL todt, bu-t \i 
plays a vital vole ih 

usev* log—'ms "tlivoughout the 
/Wisma-Uh appli^cl-tioh. 


The session starter 



Thestartsession.php 
script is responsible for starting 
the session and checking to see 
if the user is logged in. 


startsession.php 




footer.php 


The footer . php script 
displays a copyright notice 
for the application and closes 
the HTML tags opened in 
the header. So the header 


and footer work as a pair that 
must always be used together. 
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mismatch needs a template 


Rebuilding Mismatch from a template 


OK, so we break apart Mismatch into multiple scripts, but how do we 
put them back together? You’re already familiar with how include files 
work, and those are part of the solution. But you have to think larger 
than include files... you have to think in terms of templates, which 
allow you to build a single page as a combination of multiple include 
files. A template is like a blueprint for a page within an application where 
everything but what is truly unique to that page comes from include files. 

The template version of Mismatch involves breaking apart common 
code into scripts that each play a very specific role, some responsible for 
generating visual HTML code, some not. The idea is to distill as much 
common functionality as possible into template include files, and then only 
leave code in each application page that is completely unique to that page. 


Templates allow a 
PHP application to te 
tuilt out oi reusable 
script components. 


The hcadc\r appcav-s ai -the -top 
cvc\ry /Wisma-Uh pay, ahd 
displays -the title Bs 

well as a title. 




startsession.php 


header.php 


gvcv-y Mis 眯七 
pcvsorvariz^d *to a usev- 
vc^uivcs lo^—m Code 
keeps -tv-adk *tKc usev. 


丁 he 4otc\r Provides doh-tch-t 
"the bo 七 o*p cvcv*y 
page, whidh 

ih^ludcs 3 dopyv-igh-t hotidc. 





navmenu.php 


The 

appeals just below -the 
header dhd p\rovidcs 
Alisrwa-t^h with 3 
^Ohsis-tcht r^Chu "to 
between the pd^es. 


index php 


footer, php 


iVrth so mar>Y o*tiiCV shrifts 
out, *tKc s 〜 ifi is lc*fi io 

-fotus solely OY\ its Uir\*i<\uc vole; v/iViA 
•is dis^lay'm^ ma’m usev list 
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eliminate duplicate code 



Dumb Questi9ns 

What is a template exactly? Isn’t it just a bunch of include files? 

Yes. A template is a collection of include files, but it’s a collection 
designed specifically to separate an application into functional components. 
The goal is to reduce a page down to what is truly unique about that page, 
and only that page. So headers, footers, navigation menus, and any other 
application pieces and parts that are the same or similar among more than 
one page are ideal for inclusion in an application template. The end result 
is that you place template code in PHP include files that are referenced by 
other scripts that need them. 

You can think of a template as a group of include files that go a step or 
two beyond just reducing duplicate code—they actually help organize the 
functionality of an application. Mismatch is a fairly simple example of how 
to employ templates—larger, more complex PHP applications often employ 
very sophisticated template systems. 

Doesn’t template code have to be exactly the same in order to be 
shared across multiple scripts? 

No. It’s perfectly acceptable for template code to just be similar, not 
exact. The reason is because you can use variables to allow for some 
degree of customization as a template is applied to different pages. The 
page title in Mismatch is a perfect example of this. The page header 
template is similar in every page in that it has a title that always begins with 
"Mismatch - But the specific title is different, which is why a variable is 
needed to provide a means of varying the title slightly among different pages. 
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mismatch 一 now using templates! 


Rebuild Mismatch with templates 

The design work involved in breaking an application into template scripts 
is usually worth the effort. You end up with a collection of tightly focused, 
bite-size scripts, as well as dramatically simplified code in the main 
application script files that are now dependent on the template scripts. 



<?php 

session 一 start(); 

,, 。。卜 +- rv to set them with a cookie 
//If the session vars aren t set, y ^ 

if (lisset($_SESSION['user_id ])) { COOKIE['username'])) { 

if (isset($_COOKIE['user_id']) && 1 S set(^ luu 
$ SESSION ['user_id'] = $—COOKIE ['user—1 '卜 

SESSION['username'] = $_COOKIE[ username 

} 


TVy "to \resei the 
session variables 
with Cookies i-p 

"they set 


?> 


HTML 

to&t 3 POCTVPt 
av\d 


Build d dus-fcom page title 

the fpagc__ti-tlc 

variable，whidh is provided by 
the script i^ludmg this -file- 




startsession. 


Lmk \ y \ 七 he 
application 
style sheet 


<!DOCTYPE html PUBLIC ” -//W3C//DTD XHTML 1.0 Transitional//EN 
’’http : //www.w3.org/TR/xhtmll/DTD/xhtmll-transitional.dtd”> 

<html xmln S =”http : // www .w3.org/1999/xhtml” xml:lang="en" lang='^n"> 
<head> ^ 

<meta http-equiv=-'Content-Type" content=-'text/html; charset=ut^-8" /> 

<?php 


?> 


echo , <title>Mismatch - ' . $page—title . ' 〈 /title 〉'； 


<link reWstylesheet" 
</head> 

<body> 

<?php 

echo '<h3>Mismatch - ' 

?> 


type= n text/css” href=”style.css” /> 


$page title . '</h3> 


<?php 

// Generate the navigation menu 
echo ’〈hr / >'; 

if (isset ($_SESSI0N[ 'username'])) { 

'index.php">Home</a> &#10084; 

'viewprofile.php">View Profile</a> &#10084; 
'editprofile.php">Edit Profile</a> &#10084; 
'logout.php">Log Out (' . $_SESSI0N['username'] 


'signup.php">Sign Up</a> 


?> 






header.php 


echo 

1 <a 

href=' 

echo 

1 <a 

href =, 

echo 

1 <a 

href=' 

echo 

f <a 

href=' 

} 

else { 

echo 

'<a 

href= 

echo 

'<a 

href= 

} 

echo ' 

<hr 

/>'; 


')</a> 


See i-P the usc\r is 
logged \ y \, dhd thch 
gchc\ratc the appv-oj>v-iatc 


navmenu.php 


Display a ^opyvi^-b 

Y\ohct and >/\raf uf 

i\\c HTML Code- 


<hr /> 

<p class: 
</body> 
</html> 


footer">Copyright &copy;2008 Mismatch Enterprises , Inc.</p> 
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eliminate duplicate code 


The s-ta\rbcssio»r>.php sdvip 七 must be 
mdludcd *fiirsi so 七 “at the session is 
skirted and the v-crwamdc\r o( -the 
sdvipi has access -to session data 



TKc 一七 rtle variable 

dc*tcv-m*mcs *tKc title o( 
iiic pa^c that is displayed 
v/rthm *tKc pay Keadev - . 


<?php 

Start the session 
require once('startsession 


.php^M^) 



Insert the page header 
$page 一 title = ' Where opposites attract 
[uire once (' header . php '); 


require 一 once('appvars•php 1 ^ 
require once('connectvars.php') 


// Show the navigation menu 
equire once('navmenu.php 



"HiC dohhC^ioh Vd\ridbl(S 

3hd applidatioh v^\ridbles 

still ihdluded -P\rom 
Wipt -Piles like bcW. 


TVic y\av'i^at»oy\ is yy\cv-a*tcd 
a-PW deader but kcW 

body *t^ c ? a 3 e . 


V / Connect to the database 

$dbc = mysqli_connect(DB_HOST, DB_USER, DB_PASSWORD, DB_NAME); 


// Retrieve the user data from MySQL 

$query = "SELECT user 一 id, first—name, picture FROM mismatch user WHERE first 一 name IS NOT NULL 
"ORDER BY j oin—date DESC LIMIT] n ; 

$data = mysqli_query($dbc, $query); 

// Loop through the array of user data, formatting it as HTML 
echo ' <h4>Latest members : </h4> '; 
echo '<table>'; 

while ($row = mysqli fetch array($data)) { 

if (is—file(MM UPLOADPATH . $row['picture']) && filesize(MM UPLOADPATH . $row['picture']) > 0) 
echo ' <tr><tdximg src= M ' . MM UPLOADPATH . $row[ 'picture' ] . ' M alt= M ' . $row [ 1 first 一 name 1 ]. 

' M /></td>'; 


else { 

echo ' <tr><tdximg src ； 
， ’ ， /></td> '; 


UPLOADPATH 


nopic. j pg 


alt: 


$row['first name'] 


if (isset($_SESSION['user 一 id'])) { 
echo ' <td><a href= M viewprofile.php?user_id=' 

'</a></tdx/tr> '; 

} 

else { 

echo '<td>' . $row['first name 1 ] . '</td></tr> 


echo '</table>'; 

mysqli close($dbc); 
?> 


$row['user id'] . ' M >' . $row['first name 1 ] 


<Jlphp- 



II Insert the page footer 
equire once( 1 footer 

?> 



The -foo-tev -f'mislics up fay ， 
dhd wus 七 appeav last s'mdc i-t 
closes up ttT/VIL 


TV.c 娜七 — 如〜 d— _ 
tvulv 从 c ?ay, so 

^cves less ok it. 



index.php 
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a well-designed php app 

much 

Mismatch is whole again... amTbett 吖 organized 


While the thought of ripping apart the Mismatch application into tiny pieces 
might have been a bit unnerving, the end result is definitely worth the effort. 
The application’s now spread across several new template (include) files, which 
offer much better organization and maximize the sharing of script code. If you 
need to change one of these pieces, just change one file and the effect cascades 
throughout the entire application... that’s the power of templates! 

TiiC s*tav*bcssior\ script 
iid^dilcs lo^—m — 

■basks, ad docs^-t oMupy any 
visual spade ov\ 七 he pay. 


TiiC session s*t3\rt—uf 
Code, is used by any 
pay ve—w a 
usev- 

/ I 




Tlic page headev- 
ih^ludcs boilev-plate 
HTML tode 
仏 e title- 


header.php 


T\\t pay -foo*tcv- 
dor\*ba'ms 

<o\r 

you y\ccd *to 

七 jus 七 

i*t *m ov\t 


n 1^ 

Mi .irateh Whenr GncHSrulm anrair! 


■ Wli«v uppusibs ullractr 

Hto,3 £teiLEMfi.BiitMfc,Lof— — I 


lstartsession.php 

I 


navmenu.php 


Laws! jtwfflbtrsi 


Vlisnijich yrfw F/^r if 




MucnuCth ■ Visw rniule 


r rig Out ttncntcsi 


Horn ■ _ vv 來 Praflfc 






hb^maKh 


Mufcnuldi - E(Jil Fntfih 


LBii 


Dkndjg 


Mali 1 


tender:: 


EMrliwtite: l ^ PTWIj^ 


Loa fJun'?fff T ||^. ! L\ 


EvDCAlSoui Aihfi^s-iCA 


PcrwBBj lnJonjiDoon 




FlnJ 


t'lrturi;: 


La® lyfSTr" 

tKndfTJ 4^)1 

USnlidai*i ii$T-iT-w 

(- Alhcn 准 

S _4 -- 

PwUjpk f Chtow _ 、 •» 咖一一 




would you Utcw cdlm 


H^ianpw irm 


心 C JUGBMidffuict E^c.«rp^[. \m 


provides hahdy lihks 
"to the rw«ljo\r pairts 

o( the appli^atioh. 


footer, php 
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8 control your control your world 





Harvesting data 


The way I see it, if s all about data 
management. First I sort the peas, then I 
select a few potatoes, join them with some 
celery and a few rows of corn kernels... 
before you know it there's a tasty stew! 


There’s nothing like a good fall data harvest. An abundance of 


information ready to be examined, sorted, compared, combined, and generally 
made to do whatever it is your killer web app needs it to do. Fulfilling? Yes. But like real 


harvesting, taking control of data in a MySQL database requires some hard work and 


a fair amount of expertise. Web users demand more than tired old wilted data that’s dull 


and unengaging. They want data that enriches... data that fulfills... data that’s relevant. So 
what are you waiting for? Fire up your MySQL tractor and get to work! 


this is a new chapter 






looking for a love-hate relationship 


Making the perfect mismatch 

The Mismatch application has a growing database of registered users 
but they’re ready to see some results. We need to allow users to find their 
ideal opposite by comparing their loves and hates against other users 
and looking for mismatches. For every love mismatched against a hate, a 
couple is that much closer to being the perfect mismatch. 


Sidhcy has yet io 

•Pmd /Wv". Right 
she K^s ^ huhdh 
he'll hate v-cali-ty TV 
as as she loves it 


I really hate horror movies. 

And Spam, blech! But I do love 
Barbara Streisand, and there's 
nothing better than a good hike. 



Nothing warms my heart like a 
good slasher flick coupled with a Spam 
sandwich. As long as Barbara Streisand 
doesn’t show up in the movie hiking! 


r 


wate tattoo’ 

Love cowboy booft 
Love reality "TV 
^ate horror ^ovie^ 
wate 

Love ^picy food 
^ate toward 
Love Barbara Strei^a^d 
Wate weightlifti^ 

Love hiki^ 


Sid^cy^s list o( loves a^d hates 
doirrbras'ts s-ta\rkly with Joh 扣、 maki^ 
■the Couple <\uitc ^v\ c-p-fc^tivc miswtdh. 


Love tattoos 
Love cowboy boofs 
Hate reality TV 
Lovg horror Movies 
Love Spaw 
Love spicy food 
Love Howard S{erN 
Hate Barbara S{reisaNc| 
Love weigh+lif+iNg 
Hate hikiNg 


Rcmcmbcv v)oV^air\； 3 lonely 
V^carb m scav-^V) someone 
y/V^o V^atcs we 吵 as 

^cM as \\t loves it? 
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control your data, control your world 


Mismatching is all about the data 

In order to carry out Mismatches between users, we must first figure out how 
to organize the data that keeps up with what they love and hate. Knowing that 
it’s going to be stored in a MySQL database isn’t enough. We need to organize 
these love/hate topics so that they are more manageable, allowing users to 
respond to related topics, indicating whether they love or hate each one. 


Appearance 


Ta++oos 


Cowboy toofj 



Similav -tofits avc youfcd 

as -fcopids 

vcl3*tcd *to cipfc3v-air>tc. 


Entertainment 




Eddh ihdividudl -fcopifi. yts 
a lovc/hol-tc \rcsj>ohSC that 
is ma-Uhcd up agaihs-t -the 
v*cspohScs o-P o*thc\r usevs. 



Write down how you would organize the Mismatch data into 
discrete groups of data that could be stored in a database: 


you are here ► 


429 

























a data model for mismatch 


freak down the Mismatch data 


Coming up with a data model for an application such as Mismatch is 
an extremely important step, as it controls an awful lot about how the 
application is constructed. In the case of Mismatch, we can break down 
its data needs into three interrelated pieces of data. 


Categories 

Categories are used to help 
organize topics. Although 
they don’t play a direct role 
in determining a mismatch, 
they will help make it easier 
for users to enter responses. 


Entertainment 


Activities 


Responses 

A user describes themselves 
for mismatching purposes 
by responding to topics. An 
individual response is just a 
love/hate answer to a topic. 



Categories a\rc used -to 

v-clatcd 

Alisma'tdh "fcopids. 




0 


Reality TV 

Weigh+liffiNg 


TofldS -fovm ^U*ts 

(Jc /Vlisw\ 3 *b£.ii 

da*ta, dctid'm^ 4a 七 

pava^ctcvs usevs 
be misrr\ 3 *t£.iicdi or>- 


Topics 


horror 

HikiNg 



0 


Mismatching takes place 
with respect to topics, such 
as tattoos or spicy food, 
each of which gets a user 
response 一 love or hate. 



Responses a\rc ihe individual love/ 
hate ahswc\rs -to -fcopi^ ahd avc 
-to Alisrwoj-tdli usev-. 


How exactly does this data lead to a mismatch between two 
users? We compare responses that users have made on each 
topic. For example, since Sidney and Johan have opposite 
responses to the topic “Horror movies,” we have a successful 
mismatch on that particular topic. Figuring the best overall 
mismatch for a given user involves finding the user who has 
the most mismatched topics with them. 


Horror Movies 


m 


Sidneys dislike o-P 
hovvov movies ledds 
*to d 




Wait 、眯 ! 


Love ( 







A mismatch! 
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control your data, control your world 


Model a database with a schema 


In order to translate the data requirements of the Mismatch application 
into an actual database design, we need a schema. A schema is a 
representation of all the structures, such as tables and columns, in your 
database, along with how they connect. Creating a visual depiction of 
your database can help you see how things connect when you’re writing 
your queries, not to mention which specific columns are responsible for 
doing the connecting. As an example, let’s take a look at the schema 
for the original Mismatch database from the previous chapter, which 
consists of only a single table, mismatch_user. 


tabic 


mismatch user 


user 


id 


username 


password 


join date 


first name 


last name 


gender 


birthdate 


state 


picture 






This symbol 

that the 

乙 olunrm is a p\rimav-y 
key -Po\r -the -table. 


A description ol tke 
data (tke tallies and 
columns) in your 
database，along witk 
any otker related 
objects and tke way 
tkey all connect is 
known as a scliema* 


£.olumy\s m *tKc 

arc lis*tcd jus*t as a PP cayr 
rn tKc database sbrui^ 


This way of looking at the structure of a table is a bit different than 
what you’ve seen up until now. Tables have normally been depicted 
with the column names across the top and the data below. That’s a 
great way to look at individual tables and tables populated with data, 
but it’s not very practical when we want to create a structural diagram 
of multiple tables and how they relate to one another. And Mismatch 
is already in need of multiple tables... 


Creating a ctiagfram oi 
a table lets you keep 
tke design of tke tatle 
separate from tke data 
tlrat’s inside ol it. 
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pick the best mismatch schema 




E%ettctSe 


The Mismatch database is in need of storage for user responses to love/hate topics, as well as 
the topic names and their respective categories. Here are three different database designs for 
incorporating categories, topics, and responses into the Mismatch database. Circle the schema 
that you think makes the most sense, and annotate why. 



丁 his is "the hew dd'td ihtvodudcd 
by ihe heed -to keep up with 
Mismatch usc\rs ； loves a^d hates. 


mismatch user 


user 


id 


username 


password 


join date 


first name 


last name 


gender 


birthdate 


city 


state 


picture 


mismatch topic 


mismatch user 


1 userjd | username [ password 


11 1 jnettles I******** I 


topk id 

name 

category 

1 

Tattoos 

Appearance 

2 

Cowboy hats 

Appearance 
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mismatch’s best database schema 



The Mismatch database is in need of storage for user responses to love/hate topics, as well as 
the topic names and their respective categories. Here are three different database designs for 
incorporating categories, topics, and responses into the Mismatch database. Circle the schema 
that you think makes the most sense, and annotate why. 


Pivst its inr»po\rtaht -fco establish ihai the ohly yxv/ daia 
involved \y\ a usev- jivihj lovc/hatc vcspohscs avc the vcspohscs 
-themselves - cvcv-yth'mj else m the database is -Pi^cd ； at least 
-Pv-onr» ihc useir’s pcvspcdiivc. 


mismatch topic 
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ddidbdse sdiicma shores rtsyo^scs *m 
i\)t\r ovm -table, st^arait -f'rom oiiicv 
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-tKc vcspoy\scs. TKcvc^s y\o duplida*t'ioir> 
due b> vcspoy>scs bcdausc usevs, 

daic^oncs, dr^d -tofids a^rc all outside o( 


mismatch— user 

i "1 — 


topi«id 

name 

category 


1 

Tattoos 

Appearance 

user id I username | password | .» 


2 

Cowboy hats 

Appearance 

- - ——* - - 


3 

Reality TV 

Entertainment 

| jnettles | ******** | … 


4 

Horror movies 

Entertainment 
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11 
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Hate 

11 

3 
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Love 

11 

4 
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^ 3 "tc 0 o\rics. 
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mismatch’s schema uses foreign keys 


Wire together multiple tables 

Connecting tables together to form a cohesive system of data involves the 
use of keys. We’ve used primary keys to provide a unique identifier 
for data within a table, but we now need foreign keys to link a row in 
one table to a row in another table. A foreign key in a table references the 
primary key of another table, establishing a connection between the two 
tables that can be used in queries. 

The Mismatch schema from the previous exercise relies on a pair of 
foreign keys in the mismatch_response table to connect response 
rows to user and topic rows in other tables. 


A foreign key is a 
column in a table 
tkat references 
tke primaty key oi 
anotker tatle. 



Without foreign keys, it would be very difficult to associate data 
from one table with data in another table. And spreading data 
out across multiple tables is how we’re able to eliminate duplicate 
data and arrive at an efficicient database. So foreign keys play an 
important role in all but the most simplistic of database schemas. 


Large arrows skow 


primary keys connecting 
to foreign keys to wire 
togetker tatles* 
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Foreign keys m action 

It often helps to visualize data flowing into tables and connecting tables 
to one another through primary and foreign keys. Taking a closer look at 
the Mismatch tables with some actual data in them helps to reveal how 
primary keys and foreign keys relate to one another. 


J\s a key, usc\rjd ^us*t be 

uru°\uC uscv~ 

七 able, h tiiaVs its purpose 
- pvo\/idm 5 a u^i<\uc Yt^tYtY\Ct *to 
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mismatch user 
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"to khow whi^h usc\r is associated 
with a givch \rcspohSC. 
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key sev-ves as a ur\i<\uc 
mdc% -fov vov/s m 

-table- 
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password 
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Within the mismatch_response table, you can find out more 
information about the user who entered a response by looking up the 
user_id in the mismatch—user table. Similarly, you can find out the 
name of the topic for the response, as well as its category, by looking up the 
topic_id in the mismatch_topic table. 

Binding together tables with primary keys and foreign keys allows us to 
connect the data between them in a consistent manner. You can even 
structure your database so that primary keys and their respective foreign 
keys are required to match up. This is known as referential integrity, 
which is a fancy way of saying that all key references must be valid. 


i-BCM vov/ m 七 his "table is 
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use\rs will have v-cspohscs 
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TVic user 一 id key t»cs 

a v-cspoK\sc row "to 3 v-ow 
m *bV^c 一 usev* *t 3 blc* l*b 

is〆 七 smfi-C 3 usev* 
several lovc/V^atc wfwses. 
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types of relationships between tables 



I understand that primary keys and foreign 
keys connect multiple tables together, but 
does the direction of the arrows between 
keys in those diagrams mean anything? 


Yes, the direction of the arrows tells us how rows in 
each table relate to each other. 

More specifically, they tell us how many rows in one table can have 
matching rows in another table, and vice-versa. This is a critical 
aspect of database schema design, and involves three different possible 

patterns of data: one-to-one, one-to-many, and many-to-many. 


Tables caw match row for row 

The first pattern, one-to-one, states that a row in Table A can have at 
most ONE matching row in Table B, and vice-versa. So there is only one 
match in each table for each row. 

As an example, let’s say the Mismatch user table was separated into two 
tables, one for just the log-in information (Table A) and one with profile 
data (Table B). Both tables contain a user ID to keep users connected 
to their profiles. The user_id column in the log-in table is a primary 
key that ensures user log-in uniqueness. user_id in the profile table is 
a foreign key, and plays a different role since its job is just to connect a 
profile with a log-in. 
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Table P 
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ONLY ONE 一 TO 
of these rows 


ONLY ONE 
of these rows 


mismatch user_login 


user_id 

username 

password 
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~"9"""" 

dierdre 

08447b... 

2008-05... 

~io~ 

baldpaul 

230dcb … 

2008-05." 

(11)、 

〆 jnettles 

e511 d7... 


H2 


062e4a... 

2008-06... 

13 

theking 

b4f283 … 
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user profile id 
ir " 

first_name 
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gender 
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userjd 
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• •參 

(lO 
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M 


夕 8 

9 
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M 


10 

— … / 


With respect to the two user_id columns, the log-in table is considered 
a parent table, while the profile table is considered a child table — a table 
with a primary key has a parent-child relationship to the table with the 
corresponding foreign key. 
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One row leads to many 



ONE _ TO—► MANY 

of these rows of these rows 


One-to-many means that a row in Table A can have many matching rows 
in Table B, but a row in Table B can only match one row in Table A. The 
direction of the arrow in the table diagram always points from the table 
with one row to the table with many rows. 


Using the Mismatch database again, the current schema already takes 
advantage of a one-to-many data pattern. Since a user is capable of 
having many topic responses (love tattoos, hate hiking, etc.)，there is a 
one-to-many relationship between user rows and response rows. The 


Pv-imav-y key. 

mismatch 一 user 

password 


user_id column connects these two tables, as a primary key in 
mismatch_user and a foreign key in mismatch—response. 
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Dumb Questions 



One-to-One ： 
exactly one 
row oi a 
parent tatle 


is related to 
one row ol 
a ekilet tat>le. 


How do I know whether rows in two 
tables should have a one-to-one or one-to-many 
relationship? 

There will be a tendency to use one-to-many 
patterns much more often than one-to-one, and 
rightly so_ It’s common to have a main (parent) table 
containing primary data, such as users in Mismatch, 
that connects to a secondary (child) table in a one- 
to-many arrangement. This happens twice in the 
Mismatch schema, where both users and topics have 
a one-to-many relationship to responses. 

In many cases, rows with a one-to-one relationship 
in two tables can be combined into the same table. 
However, there are certainly situations where it 
makes sense to go with a one-to-one pattern, such 
as the hypothetical user profile example on the facing 
page, where there is a security motivation in moving a 
portion of the data into its own table. 


# 

exactly one row 
oi a parent 
tat>le is relatect 
to multiple 
rows oi a 
ekilet tatle. 
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the many~to~many relationship 


Matching rows mawy - to - mawy 

The third and final table row relationship data pattern is the 
many-to-many relationship, which has multiple rows of data in Table A 
matching up with multiple rows in Table B... it’s kinda like data overload! 
Not really. There are plenty of situations where a many-to-many pattern 
is warranted. Mismatch, perhaps? Let’s have a look. 


Plfable A^ 











Table P 




► 







MANY ♦-T0-+ MANY 


of these rows of these rows 

Wscv-s a^d -topics have a 



The many-to-many pattern in Mismatch is indirect, meaning that it takes 
place through the mismatch_response table. But the pattern still exists. 
Just look at how many of the same user—ids and topic_ids appear in 
mismatch_response. 

In addition to holding the response data, the mismatch_response table 
is acting as what’s known as a junction table by serving as a convenient 
go-between for the users and topics. Without the junction table, we would have 
lots of duplicate data, which is a bad thing. If you aren’t convinced, turn back 
to the schema exercise near the beginning of the chapter and take a closer 
look at Design 2. In that design, the mismatch—topic table is folded into 
the mismatch_response table, resulting in lots of duplicate data. 


Many-to-Many: 
Multiple rows ol 
a parent table 
are related to 
multiple rows oi 
a ckilct tatle. 
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In each of the tables below, there are circled columns that could be moved out into 
their own tables. Write down if each of the columns is best represented by a one-to-one, 
one-to-many, or many-to-many relationship with its original table, and then draw the 
relationship as a line connecting the two tables with appropriate arrowheads. 


mismatch user 


user id ^ 11 ^ 


(^addressj) 


e 


mploy 
friends 


er 















mismat<h topi< 


topic 一 id 


name 


^category 




*bopi£. 
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name that relationship solution 



EH 9 F 



In each of the tables below, there are circled columns that could be moved out into 
their own tables. Write down if each of the columns is best represented by a one-to-one, 
one-to-many, or many-to-many relationship with its original table, and then draw the 
relationship as a line connecting the two tables with appropriate arrowheads. 
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control your data, control your world 



Hold it right there! Take a second to get the Mismatch database 
in order so that we can make mismatches. 

Download the . sql files for the Mismatch application from the Head First Labs web site 
at www. headfirst labs . com/boo ks/hfphp. These files contain SQL statements 
that build the necessary Mismatch tables: mismatch 一 user, mismatch—topic, and 
mismatch_response. Make sure to run the statement in each of the . sql files in a 
MySQL tool so that you have the initial Mismatch tables to get started with. 

When all that’s done, run a DESCRIBE statement on each of the new tables 
(mismatch—topic and mismatch_response) to double-check their structures. 
These tables factor heavily into the Mismatch PHP scripts we’re about to put together. 



T\\t *top'id_idi -fovcio 
key tics batk -to 
pvimav'y 
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using the database to build a questionnaire 



OK, so we have this wonderfully 
designed database of users, categories, 
topics, and responses. How is that going 
to actually help us make a mismatch? 


mismatch topic 
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> P kjd 1 

name 

category 


Tattoos_1 

Appearance | 

2 T 

Gold chains 

Appearance | 

3 T 

Body piercings 

Appearance 

~~ r 

Cowboy boots I 

Appearance 

5 ^ 

Long hair 

Appearance 


Reality TV 丁 

Entertainment | 

ztj 

Professional 
wrestling_1 

Entertainment 1 


Horror movies 

Entertainment | 

― \ ~~ 1 

Easy listening music 

Entertinment | 

10 | 

The opera 

Entertainment [ 


Sushi 1 

Food 

12 | 

Spam_ 

| Food 口 

13 

Spicy food | 

| F °gj_ 

14 

I Peanut butter & 

1 banana sandwiches 


15 

I Martinis 

1 F °^__ 

16 

Howard Stern 

| People 

1 17 ~~ 

j Bill Gates 

| Peopel 

18 : 

1 Barbara Streisand 

| People 

19 

Hugh Hefner 

| People 

20 

Martha Stewart 

| People 


Yoga 

1 Activities 1 

22 

j Weightlifting 

| Activities 1 

23 

| Cube puzzles 

Activities | 


j Karaoke 

1 Activities | 


"1 Hiking 

IZZ — 


If you start with a well-designed database, every 
other piece of the application puzzle becomes 
that much easier to build and assemble. 

Getting the database right when initially designing an application is 
perhaps the best thing you can do to make the development process 
run smoothly. It may seem like a lot of work up front plotting and 
scheming about how best to store the data, but it will pay off in 
the long run. Think about how much more difficult it would be to 
rework the Mismatch database schema with it full of data. 

That’s the big picture benefit of a good database design. Looking 
at the Mismatch database specifically, we have a user table that is 
populated by the users themselves through sign-ups and profile 
edits, and we have a new topic table that contains enough categories 
and topics to give some decent insight into a person. What we’re 
still missing to make mismatches is a way to allow the user to enter 
responses, and then store them away in the response table. 


The -full 一 "fcopi 匕 -table 

Vy -topics bv-okeh uf 

adv*oss ^ 匕 ategovies … it’s ouv* 

^ dirwChsio^s o-f opposebili-ty/ w 





How would you turn this list of categories 
and topics into a set of questions that 
users can provide love/hate responses to? 
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Puild a Mismatch questionnaire 


So how exactly do we get love/hate responses from users for each Mismatch 
topic? The answer is a questionnaire form that allows the user to choose “Love” 
or “Hate” for each topic in the mismatch 一 topic table. This form can be 
generated directly from the responses in the database, with its results getting 
stored back in the database. In fact, the design of the questionnaire form involves 
reading and writing responses from and to the mismatch_response table. 
Here’s a peek at the questionnaire, along with the steps involved in building it. 



A Use INSERT to add empty response rows to the database the first time the user 
” accesses the form. 

We’re going to generate the questionnaire form from data in the mismatch—response table, even when the 
user has never entered any responses. This means we need to “seed” the mismatch—response table with 
empty responses the first time a user accesses the questionnaire. Since the response column for these rows is 
empty, neither the “Love” or “Hate” radio buttons are checked when the form is first presented to the user. 

Use update to change response rows based on user responses on the form. 

When users submit the questionnaire form, we must commit their personal responses to the database. Even 


then, only responses with checked radio buttons should be updated. In other words, the database only 
needs to know about the responses that have been answered. 


A Use select to retrieve the response data required to generate the questionnaire form. 

In order to generate the questionnaire form, we need all of the responses for the logged-in user. Not only that, but we 
need to look up the topic and category name for each response so that they can be displayed in the form 一 these names 
are stored in the mismatch—topic table, not mismatch response. 


Generate the HTML questionnaire form from response data. 

With the response data in hand, we can generate the HTML questionnaire form as a bunch of input fields, 
making sure to check the appropriate “Love” or “Hate” radio buttons based on the user responses. 
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putting responses into mismatchjresponse 


fret responses into the database 


Although it might seem as if we should start out by generating the 
questionnaire form, the form’s dependent on response data existing in the 
mismatch_response table. So first things first: we need to “seed” the 
mismatch_response table with rows of unanswered responses the 
first time a user accesses the questionnaire. This will allow us to generate 
the questionnaire form from the mismatch_response table without 
having to worry about whether the user has actually made any responses. 



The -topics ih the -Poirrw av-c 
initially Uha^swcv-cd we 
seeded rwisrwa-t^h_\rcs{>ohSC 
Crwpty vcspohscs. 



So from the perspective of the questionnaire form, there’s always a row 
of data in the mismatch_response table for each question in the 
form. This means that when the user submits the questionnaire form, 
we just update the rows of data for each response in the form. 


C LE»r #Hut 

二: 



Now that the useir’s dhsweved 
some o( -the ^ucs-tio^s, wc have 
real \rcsj>ohsc daia io s-tov-c *m 
"the rwisma-tth__\rCspo^SC table. 


Although storing responses in the Mismatch database is ultimately a 
two-step process, the first step (INSERT) only takes place once for each 
user. Once the empty responses are added initially, all future changes to 
the questionnaire are handled by the second step via SQL UPDATES. 


mismatch response 



Responses ih the 
database av-c updated -fco 
usc\r vcspohscs ih 
the ^ucs-tiohhai\rC -Pov-rw. 
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PHP& MySQL Magnets 

The following code takes care of inserting empty responses into the 
mismatch—response table the first time a user visits the questionnaire 
form. It also updates the responses when the user makes changes and 
submits the form. Unfortunately, some of the code has fallen off and needs 
to be replaced. Use the magnets to fix the missing code. 


// if this user has never answered the questionnaire^ insert ^ 

$query = "SELECT * FROM mismatch—response WHERE user_id . $_ — 

$data = mysqli—query($dbc ， $query); 

( ($data) == 0) { 

// First grab the list of topic IDs from the topic table 

$query = "SELECT . 


FROM mi 


smatch topic ORDER BY category_id, topic_id 


$data = mysqli_query($dbc, $query); 

$topicIDs = array (); 

while ($row = mysqli_f etch_array($data)) { 

array push ($topicIDs, $row['topic_id']); 

} 

// insert empty response rows into the response table, one per topic 
foreach ($topicIDs as $topic_id) { 


$query 


mismatch—response ". 

\ VALUES . $—SESSION[’user_id']. n \ 1 $topic_id') 


mysqli_query($dbc, $query); 


// If the questionnaire form has been submitted, write the form responses to the database 
if (isset($ POST ['submit'])) { 

// write the questionnaire response rows to the response tab e 
foreach ($_POST as $response_id => $response) { 


$query 


mismatch—response 


response = 'gresponse 


'WHERE 


'$response_id 


mysqli_query($dbc, $query) 


echo '<p>Your responses have been saved.</p> 



you are here ► 
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PHP & MySQL Magnets 

The following code takes care of inserting empty responses into the 
mismatch—response table the first time a user visits the questionnaire 
form. It also updates the responses when the user makes changes and 
submits the form. Unfortunately, some of the code has fallen off and needs 
to be replaced. Use the magnets to fix the missing code. 


// if this user has never answered the questionnaire, insert ⑽冗 —f" 3 " 
$query = "SELECT * FROM mismatch—response WHERE user_id . $_ — 

$ data = mysqli_query($dbc, $q U er y ) ; Ched SCC the 

if ( I myS qli_num_rows^ ($data) == 0) { - - 。作 ws J …… dab/ 


// First grab the list of topic IDs from the topic table 
$query = ” SELECT... topic 一 id 


$query 


INSERT INTO 


user id 


topic 一 id 


FROM mismatch—topic ORDER BY category_id, topic_id , 

卜 ordcv *to av-v-ay 

v-cspoy\scs, \Nt -fiv-s*b need *to yab all o\ 

七 m i\\t "tofid -table. 

The \rcspohSC vow is 
1 UK>ahSwc\rcd W at this poiht 
siMe the usc\r hclSh^t 
dd'tudlly dhosch u lovc w ov* 

4 - oy \ the -fov-rw yet ， 

SESSION ['user_id'] • 11 \ ' $topic_id ’）’’； 


$data = mysqli_query($dbc, $query); 

$topicIDs = array(); 

while ($row = mysqli_fetch_array($data)) { 

array push ($topicIDs , $ row[ topic_id ]), 

} 

// insert empty response rows into the response table, one per topic 
forsach ($topicIDs as $topic_id) { 


mismatch_response 
)VALUES (' M 


mysqli_query($dbc, $query); 


// If the questionnaire form has been submitted, write the form responses to the database 
if (isset ($ POST ['submit'])) { 

// write the questionnaire response rows to the response tab e 
foreach ($_POST as $response_id => $response) { 


UPDATE 


$query =" 

"WHERE [response id |- 


mismatch—response 
'$response_id' 


\ SET] 


mysqli_query($dbc^ $query); 
echo '<p>Your responses have been saved.</p> 


r ㊀ sporise = |$r ㊀ sporLSG* ". 

All cMa^ts y/iicn 
usev submrts -fov 
is VCspoy\sc tolurwr^ 

<Jc 七 he \rcsfor\sc *tablc> sc 

•tiiaVs all v/c update- 
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What’s the deal with the array 一 push () function? I don’t 
think we’ve used that one before. 

We haven't. And that’s because we haven’t needed to build an array 
dynamically one element at a time. The array—push () function 
tacks a new element onto the end of an array, causing the array to grow 
by one. In the Mismatch code on the facing page, we’re using array— 
push () to build an array of topic IDs from the mismatch_ 
topic table. This array is then used to insert blank responses into the 
mismatch response table... one for each topic. 


Use insert to add empty response rows to the 
database the first time the user accesses the form. 





Ba，’ We just killed two 

viv**tu3l bivds with ohc 

and how have the <\ues-tiohhaiv<e 

S 乙 Hpt already hal-P kilt 



date tolnangi 



Use update to Change response rows 
based on user responses on the form. 


队七 *Uo steps art \t^i 

kc-fov-c slav-t 眯 ak” 

love C.ony\Cfi.*t>oy\S Y/rth 七〜 
ves 七 loyma—c … 


^ Use select to retrieve 
the response data 
required to generate 
the questionnaire form. 



1 Generate the HTML questionnaire 
* form from response data. 


you are here ► 
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using data-driven forms 


Wc caw drive a form with data 


It’s nothing new that web forms are used to retrieve data from users via 
text fields, selection lists, radio buttons, etc., but it may not be all that 
obvious that you can generate HTML forms from database data using 
PHP. The idea with Mismatch is to dynamically generate an HTML 
questionnaire form from response data. The Mismatch questionnaire 
script makes the assumption that response data already exists, which 
allows it to generate the form from data in the mismatch—response 
table. We know this assumption is a safe one because we just wrote the 
code to add empty responses the first time a user visits the form. 


Data - ctriven iorms 
rely on data in a 

MySQL database 
to generate HTML 

iorm iields. 


mismatch—response 

response 一 id ^ ^ 

response 

user 」d 


TV^c f\rima\rv key IS 

used *to u^i^ucly idcyrb^Y HTML 
fields asso£.»3*tc 
-field a database \roy/. 


ftTAIL -foirirw toAt is 
gchciratcd daia ih -the 
ismatdh__\rcspohSC table. 


Fo\rm -fields 3VC htA *to 
database voy/s by sc-btmj 
七 1^ -field 

•to i\\t key o-f 

i\\t database. 


action= n n > 


<form method=”post” 

<P>How do you feel about each topic?</p> 
<fieldset> 

<leg 0 nd>App 0 arance< / legend 〉 

〈label for="76">Tattoos:</label><input 


type= 


The cMcckcd a-t-tv-ibu-tc do^-tv-ols 

ihc sclcdiio^ of \radio bui-to^s. 

〈 ^rL' 冗 :: name= " 78 " vaiue= ' ， ^>i^h eck / d ”” />Love 

<ia ^^ 

<fieldset> 

<legend>Entertainment</legend> 


</form> 


r^O 


iMlMnjtcIi - Quwtigniiair^ 





The form reflects 
the user’s 
response choices 
for each topic. 


-Appearand 
TillEJHK ： 
Cold choiiku 


两 [jhvt: 「■ Hulfc 
0 Hate 

©Lqvtc GHaw 
wLavc ^rtOK 


>2 




■ EinccrmlniiTiKDi 
Etealltf TV: 


Ifcrrcir 


Q[jhvts if Hulfi 

0 [■five ■:: HflhJ 
0 LQVTC OHflK 
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E%eftci$e 


The Mismatch response questionnaire is generated from user responses that are stored in the 
mismatch_response table. In order to generate the code for the HTML form, it's necessary 
to read these responses, making sure to look up the name of the topic and category for each 
response from the mismatch_topic table. The following code builds an array of responses 
with topics and categories by performing two queries: the first query grabs the responses for a 
user, while the second query looks up the topic and category name for each response. Problem 
is, some of the code is missing... fill in the blanks to get it working! 



mismat<h topi< 


topicjd 



name 


category 


/Way o*P v-cspohscs 
with -topids 
^atcgov-ics. 



k 76 

1 

Love 

Tattoos 

Appearance 

77 

2 

Love 

Gold chains 

Appearance 

78 

3 

Love 

Body piercings 

Appearance 

79 

4 

Love 

Cowboy boots 

Appearance 

80 

5 

Love 

Long hair 

Appearance 

► 81 

6 

Hate 

Reality TV 

Entertainment 

82 

7 

Love 

Professional wrestling 

Entertainment 

83 

8 

Love 

Horror movies 

Entertainment 

… 


// Grab the response data from the database to generate the form 
$query = "SELECT response_id, topic_id, response FROM mismatch_response 
"WHERE user_id = '" . $_SESSION['user_id ’]. ，… , ； 

$data = mysqli—query($dbc, $query); 

$responses = array(); 

while ($row = mysqli_fetch 一 array($data)) { 

// Look up the topic name for the response from the topic table 

$query2 = " M . 

TKis PttP "WHERE topic_id = 1 " . $row [ * topic_id ' ]. 

WW tells V data2 = rnysqli_query($dbc, .•)•; 

if (mysqli_num_rows( ) == 1) { 

Y ou 0> r $row2 = mysqli_fetch—array ($data2); 

vows ok AdizB $row [ * topic_name']=. 

V"C*buV"r\cd 3s $row [ ' category_name ']= 

<^iaCV"Y vcsul*bs- array_push ($responses f $row); 

} _ 

} 


you are here ► 
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exercise solution 



The Mismatch response questionnaire is generated from user responses that are stored in the 
mismatch_response table. In order to generate the code for the HTML form, it's necessary 
to read these responses, making sure to look up the name of the topic and category for each 
response from the mismatch_topic table. The following code builds an array of responses 
with topics and categories by performing two queries: the first query grabs the responses for a 
user, while the second query looks up the topic and category name for each response. Problem 
is, some of the code is missing... fill in the blanks to get it working! 



mismat<h topi< 


topicjd 



name 


category 


A^v-ay o-P v-cspohscs 

^orrtplc-tc with -topids 

TKc "tofid IP used *to 

look up -topid ar\d 

table . 、 


k 76 

A 

Love 

Tattoos 

Appearance 

77 

M 

Love 

Gold chains 

Appearance 

78 

3 

Love 

Body piercings 

Appearance 

79 

4 

Love 

Cowboy boots 

Appearance 

80 

5 

Love 

Long hair 

Appearance 

81 

6 

Hate 

Reality TV 

Entertainment 

82 

7 

Love 

Professional wrestling 

Entertainment 

83 ^ 

w 

Love 

Horror movies 

Entertainment 


The f^s^oy\scs 

av-v-ay sev-ves as 
a ie 叶 ova\ry 
“■table" of \rcspohsc 

data -fco be used 

io the 

^ucs-tio^^aiv-c -Pov-m. 


Alakc su\rc 
thc\rc adiually 
IS ^espohsc daia 
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// Grab the response data from the database to generate the form 
$query = M SELECT response_id, topic_id, response FROM mismatch—response 
"WHERE user_id = ' " . $_SESSION [ ， user_id ， ] .，▼▼，'； 

$data = mysqli_query($dbc, $query); 

$responses = array(); 

while ($row = mysqli—fetch—array($data)) { 

// Look up the topic name for the response from the topic table 
$query2 = " ... SELECT. FROyVI. 

- ^ "WHERE topic_id = *" . $row['topic_id*]."'"; 

$data2 = mysqli_query (^dbc, ^ucry2 -)) 
if (mysqli_num_rows( - ) == l) i 

$row2 = mysqli—fetch—ar^ay($data2); 

$ row ['topic name ' ] = f\rov/2X\r^w^’]; 

$row [ ' category—name ' ] = 
array_push($responses, $row); 

丁 av-v-ay •fuMticm 

adds (pushes) cm*to 

cr\d o*f av-vsy* 


Use SELECT to retrieve 
the response data 
required to generate 
the questionnaire form. 


I 七 ’s vcv-y ’irwfortarrt 
■to use y\V*\ vaviablcs 

*to d SttOTid 

(irmev) ^uevy so 

七 ha 七 ovi^mal 

c^uev-y iW 七 七 ed. 


"The "topid h3r«C dhd 
v\amxt aire added -to -the 
\rcspohSC a\r\ray by assi^hih^ 
data -Plrom -the sc^Ohd c^uev-y. 


















































control your data, control your world 



A 


No and Yes, which is why it is important to use the 
most efficient data type possible to store data in a 
MySQL database. 

When you think about it, a Mismatch response is more like a true/false 
answer because it’s always either one value (love) or another one (hate). 
Actually, a third value (unknown) can be useful in letting the application 
know when the user has yet to respond to a particular topic. So we really 
need to keep track of three possible values for any given response. This 
kind of storage problem is ideal for a number, such as a TINYINT. Then 
you just use different numeric values to represent each possible response. 


? 


l 




Unknown 


0 



Love 


0 

Hate = 2 


Minimizing the storage requirements of data is an important part of 
database design, and in this case a subtle but important part of the 
Mismatch application. These numeric responses play a direct role in the 
generation of form fields for the Mismatch questionnaire. 



irpen your pencil 


Pern ’ 七 v/ovvy akoiA*t tta 七 ' 

radio ku*t*bo^s -for v\o^i - ^ 

same v/ay. 



The following code loops through the Mismatch response array 
that you just created, generating an HTML form field for each 
"Love” radio button. Fill in the missing code so that the form field 
is initially checked if the response is set to love (1). Also, make 
sure the value of the <input> tag is set accordingly. 


foreach ($responses as $response) 


if 


echo '<input type= M radio" name: 
*" value= checked= 


else { 

echo '<input type="radio' 
'"value= / >Love 


name: 


.$response['response—id'] 
/>Love '; 


.$response['response id 1 ] 


you are here ► 
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sharpen your pencil solution 

- %^arpen your pendl 

Solution 


The following code loops through the Mismatch response array 
that you just created, generating an HTML form field for each 
"Love” radio button. Fill in the missing code so that the form field 
is initially checked if the response is set to love (1). Also, make 
sure the value of the <input> tag is set accordingly. 


The w Lovc ，； v-ad»o > s 

based or. value resist 

(I vc\>v-csc^*b love m dalabascA 

foreach ($responseslas $response) 

參參參 

if ( fVcsPo^scCVcs 


echo 

'<input 

type= 

"radio' 

''name=' 

1 If 

value= w r checked^ 

匕 ked 

} 

else { 





echo 

'<input 

type= 

"radio' 

''name=' 


1( this 代 spohse is 兄七 "to love 
(/)，dKcdk "tKc \r^dio by 

settihj i-fcs attv-ibutc 

1 $response['response 一 id'] 


uiw 


The value o( -the <ihput> tag is set 
■feo 1 so that it will be easier -to 
the \TCSpohSC ih the ddiabas 
whch the -Po\rrn is subrwitted. 


.$response[’response—id ， ] 

Lcavm^ tVictkcd 

vcsul*ts v*ad.K> button 

k— uWctkcd 4 七 ^ 呼吣 c 
lSh*t SC*t *to love (I). 


foreach ($responses as $response) { 



• • • 

if ($response[|response|] == 2) { 


_id']. 

echo '<input type=”radio” name=" 

， .$response['response— 

▼” value="2" checked="checked" 

/>Hate '; 


i 

else { .... 

echo '<input type="radio" name=" 
"▼ value="2" />Hate ▼; 

__ 

， .$response[▼response— 

_1 


yo = 代 Wious, the Code io gchcv-atc 

七 he Hate v-adio buttohs wovks exactly 
the sarwc way - it just looks -Poir a slightly 
d\Hc^i 代 spoh 兄 … bui thcv-cs anally a 

way h> gehevale both the u Uvc w 

Hate v-adio but-fcohs y/i-tli less dodc... 
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Speaking of cfficicwcy 


• tt 


Database efficiency isn’t the only kind of efficiency worth considering. 
There’s also coding efficiency, which comes in many forms. One form 
is taking advantage of the PHP language to simplify if-else statements. 
The ternary operator is a handy way to code simple if-else 
statements so that they are more compact. 


true 



TestExpression \Statementl 1 : )Statement2 



^ is "brue, 

S-tatcmch-tl is executed- 



Tke ternary ? 
operator can te 
used to code il-else 
statements in a 
more compact lorm. 




false 


l-P Tc%*tt^v-css»oy\ is A-alsc, 

七 i k 七 ed. 


The ternary operator is really just a shorthand way to write an if-else 
statement. It can be helpful for simplifying if-else statements, especially 
when you’re making a variable assignment or generating HTML code in 
response to the if condition. Here’s the same “Love” radio button code 
rewritten to use the ternary operator: 


.$response[ 1 response id *] 


? ' checked= M checked' 


echo * <input type= n radio" name: 
($response['response']== 

This {x\At /-false -test Cov\bro\s the 
ou-Uomc o( -the tc\rhav-y opcv-a*tor. 


If the response value stored in $ response [ ▼ response ▼] is equal to 
1, then the checked attribute will get generated as part of the 〈 input 〉 
tag, resulting in the following checked “Love” radio button: 


value="1 


/ >Love 



TV decked atVibute 

七 k <ihput> tag is 
gchc\ra-tcd usi% 七 he 
opev-a-tov ^sitad 

如 i-f-dsc s-tatcmch-t. 




TV^is 

■tag’s Code *»s tor\*bv-ollcd 
by ofc^raW. 


1141 

Lcmss hair: @ OHaw _ [ I 


On the other hand, a response value of anything other than 1 will prevent 
the checked attribute from being generated, resulting in an <input> 
tag for the “Love” radio button that is unchecked. 
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ftewcratG the Mismatch questionnaire form 


We now have enough pieces of the Mismatch questionnaire form puzzle to use the 
response array ($responses) we created earlier to generate the entire HTML 
form. If you recall, this array was built by pulling out the current user’s responses 


from the mismatch_response table. Let’s go ahead and see the questionnaire 
generation code in the context of the full questionnaire . php script. 


<?php 

// Start the session 

require—once(’ startsession.php'); 

// Insert the page header 
$page—title = 'Questionnaire'; 
require once(’header.php'); 



l^ludc the template -Piles 
七 ha 七 s-ta\rt -the session dhd 
display the page headev-. 



questionnaire.php 


require—once('appvars.php'); 
require once('connectvars.php'); 


// Make sure the user is logged in before going any further. 
if ( !isset ($ SESSION['user id'])) { 



pay *to 


echo '<p class= n login">Please <a href= M login.php n >log in</a> to access this page.</p>'; 


exit(); 


// Show the navigation menu 
require once('navmenu.php'); 


// Connect to the database 

$dbc = mysqli connect(DB HOST, DB USER, DB PASSWORD, DB NAME); 


❶ 


// If this user has never answered the questionnaire, insert empty responses into the database 
$query = "SELECT * FROM mismatch—response WHERE user_id = '" . $_SESSION['user_id'] . n,n ; 

$data = mysqli—query($dbc, $query); 
if (mysqli_num—rows($data) == 0) { 

// First grab the list of topic IDs from the topic table 

$query = "SELECT topic—id FROM mismatch—topic ORDER BY category—id, topic_id n ; 

$data = mysqli—query($dbc, $query); 

$topicIDs = array(); 

while ($row = mysqli—fetch—array($data)) { 

array—push($topicIDs, $row['topic_id']); 

} 


// Insert empty response rows into the response table, one per topic 
foreach ($topicIDs as $topic—id) { 

$query = ''INSERT INTO mismatch—response (user_id, topic_id) VALUES ('" 
n ’， ’ $topic_id ’）”； 
mysqli—query($dbc, $query); 

} 


SESSION['user id'] 


❺乂 


「II If the questionnaire form has been submitted, write the form responses to the database 
if (isset($—POST['submit'])) { 

// Write the questionnaire response rows to the response table 
foreach ($_POST as $response_id => $response) { 

$query = "UPDATE mismatch response SET response = '$response'". 
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"WHERE response_id = '$response_id'"; 
mysqli—query($dbc, $query); 

} 一 

echo '<p>Your responses have been saved.</p>'; 


f // Grab the response data from the database to generate the form 

$query = "SELECT response_id, topic_id, response FROM mismatch—response WHERE user—id 
$_SESSION['user_id'] . n,n ; 

$data = mysqli—query($dbc, $query); 

$responses = array(); 

while ($row = mysqli—fetch—array($data)) { 

// Look up the topic name for the response from the topic table 
$query2 = "SELECT name , category FROM mismatch topic WHERE topic id = "▼ 


$row['topic id 1 ] 


$data2 = mysqli—query($dbc, $query2); 
if (mysqli—num—rows($data2) == 1) { 

$row2 = mysqli—fetch—array($data2); 

$row['topic—name ’] = $row2['name']; 

$row['category—name’] = $row2['category']; 
array—push($responses, $row); 

} 


q\rab the Caic^o\ry o( -the 
\rcspohSc -to gc-t s-bv-ted 
bc-Po\rc the loop. 


mysqli—close($dbc); 

// Generate the questionnaire form by looping through the 
echo '〈form method= M post M action=”' . $—SERVER['PHP—SELF'] 

echo '<p>How do you feel about each topic?</p> 

$category = $responses[0]['category—name ']; ， 
echo 1 <f ieldsetxlegend> 1 . $responses [ 0 ] [ 1 category—name '] 

foreach ($responses as $response) { 



onse array 

>'; 


'</legend> 


// Only start a new fieldset if the category has changed 
if ($category != $response['category—name']) { 

$category = $response[ 1 category—name']; 

echo '</fieldset><fieldset><legend>' . $response['category name'] 


'</legend> 


// Display the 
echo '<label ' 


topic form field 
.($response['response'] 




NULL ? 'class= M error n ' : 


f or= 



$response[* response—id']. 
echo 1 <input type="radio M id: 
$response[ 1 response—id 1 ]. 
($response['response']== 
echo ' <input type= M radio n id: 
$response['response_id 1 ]. 
($response['response'] ==21 


9 


>’ .$response['topic—name'] 

.$response['response—id'] 
value= M 1" 1 
1 checked= n chec}ced , 

.$response['response 
value="2" 1 

'checked= M checked' 


'</fieldset> 

1 <input type: 
'</form> ’； 


'submit" value="Save Questionnaire 


// Insert the page footer 
require once('footer.php'); 


?> 


o-P -tKcsc tcMo s*ta 七 cm ⑼ ts 
ftcr>cva*tcs a \rad'io 
^OV w Lo\/, fov “Hat〆 


RcrwCrwbcv, 
I — love, 

Z - hate. 



' : </label>'; 
"name= M '. 

/>Love ▼; 

▼' name="'. 

/>Hate<br /> 


tatii is 

tveated as a ?icldsc*b 
•to iiclp 

•topics -toybiicv-. 

the 

opcv-aW is used ijo 
the s-tyle 
of ihc label 

-fcopids. 


submit" /> 


EatK -topid is 
ertaitd as a 
label -follov/cd by 
u Uvc w arsd u ttaV 
vadio bu*t*tor\s- 


or>c 



r.xs ^ 

the HTML qu 


Generate fHe HTML questionnaire 
form from response data. 


you are here ► 
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test out questionnaire.php 




Tesr DriVq 


Try out the new Mismatch questionnaire. 

Modify Mismatch to use the new Questionnaire script (or download the application from 
the Head First Labs site at www. headfirst labs . com/boo ks/hfphp). This requires 
creating a new questionnaire . php script, as well as adding a “Qjaestionnaire” menu 
item to the navmenu . php script so that users can access the questionnaire. 

Upload the scripts to your web server, and then open the main Mismatch page (index . php) 
in a web browser. Make sure you log in, and then click the “Qjaestionnaire” menu item to 
access the questionnaire. Notice that none of the topics have answers since this is your first 
visit to the questionnaire. Answer the responses and submit the form. Return to the main 
page, and then go back to the questionnaire once more to make sure your responses are 
properly loaded from the database. 
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Q/ How does the “Love” radio button code know that the 
ternary operator result is a string? 

The ternary operator always evaluates to one of the two 
statements on each side of the colon based on the value (true or 
false) of the test expression. If these statements are strings, then 
the result of the ternary operator will be a string. That’s what makes 
the operator so handy—you can insert it right into the middle of an 
assignment or concatenation. 

Does the ternary operator make my script run faster? 

No, probably not. The ternary operator is more about adding 
stylistic efficiency to your code than performance efficiency, meaning 
that it literally requires less script code. Sometimes it’s more concise 
to use the ternary operator rather than a full-blown if-else 
statement, even though the two are logically equivalent. Even so, 
don’t get too carried away with the ternary operator because it can 
make some code more difficult to understand if you’re attempting 
to recast a complex if-else statement. The idea is to use the 
ternary operator in places where eliminating an if-else can 
actually help simplify the code, as opposed to making it more 
complicated. This usually involves using the ternary operator to 
selectively control a value being assigned to a variable or inserted 
into an expression. In the case of the Mismatch radio buttons, the 
latter approach was used to selectively control the insertion of an 
HTML attribute (checked). 


How is it possible to generate the Mismatch questionnaire 
form from the mismatch_response table when the user 
has yet to respond to anything? 

Excellent question. The questionnaire form has to deal with 
two possible scenarios: the user is answering the questionnaire 
for the first time or the user has already answered it and is revising 
answers. In the first scenario, no responses have been made, so 
the mismatch_response table has no data for this user yet. 
But we still need to dynamically generate the form. We could use 
the mismatch—topic table for this one-time form generation. 
This won’t work for the second scenario, however, because this time 
the form must be generated based on the user’s specific love/hate 
responses; remember, the radio buttons for “Love” and “Hate” are 
generated as part of the form. So we have a problem in that the code 
to generate the form is completely different depending on whether 
the users have answered the questionnaire. Not only that, but what if 
they only answered a few questions? This gets messy in a hurry. 

The solution taken by Mismatch is to pre-populate the 
mismatch_response table with unanswered responses 
the first time the user accesses the questionnaire. This 
allows us to always generate the questionnaire form from the 
mismatch_response table, and not worry about the 
complication of generating the form differently based on whether 
the users have responded before, or which specific topics they’ve 
responded to. Sure, the form generation code still isn’t exactly trivial, 
but it’s simpler than if we had not taken this approach. 


⑤ 

@ 

@ 
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Add a new topic to your own mismatch—topic table with this SQL statement ： 

INSERT INTO mismatch—topic 
(name, category) VALUES 
('Virtual guitars ', ' Activities') 

Empty all the data from the mismatch—response table with this SQL statement ： 





DELETE FROM mismatch—response 

View the questionnaire in the Mismatch application to see the new topic. 

Respond to the new topic, submit the form, and check out your saved response. 
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The data is wow drivmg the form 


It took some doing, but the Mismatch application dynamically generates 
the questionnaire from responses stored in the database. This means 
that any changes made to the database will automatically be reflected in 
the form — that’s the whole idea of driving the user interface of a web 
application from a database. But what happens when we have bad data? 


mismotch response 



mismatch topic 

responsejd 
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name 

response 

category 

user 一 id 

topiejd 
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The data is driving the form’s fine, but something’s amiss. It appears 
that one of the categories has been misspelled in the database, causing 
the PHP code to generate a separate fieldset for it. This is a big problem 
because it ruins the effect of using fieldsets to help organize the form and 
make it easier to respond to topics. 
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OK, so one of the categories in the database 
is misspelled, which is screwing up our form. 
How do you guys think we should fix it? 


O 


o 


misir 


La. udJ 


:opic 



Flr^hk 


topic id 。 — V. 

name 

category 

• • • _ _ 

—rm 

Horror movies | 

Entertainment | 

— 
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Entertinment/p 
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—^~~1 

Sushi ^ | 

Food 

12 | 
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Food 


Spicy food_ 

F °gj — 


Peanut butter & 
banana sandwiches 

Food 

15 

[ Martinis 

1 Food 
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Howard Stern 

1 People 
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Bill Gates 

18 
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Frank: That’s easy. Just change the name of the category in the mismatch—topic table to the correct spelling. 

Joe ： But there’s more than one category misspelled. And now that I think about it, I’m not really understanding why 
the category names have to be stored more than once. 

Jill ： I agree. We went to the trouble of eliminating duplicate data in designing the database schema, yet here we are 
with a bunch of duplicate category names. Not only that, but we have a couple that aren’t even correct. 


Frank: OK, what about just getting rid of category names and maybe referring to categories by number? Then you 
wouldn’t run the risk of typos. 

Joe ： True, but we still need the category names as headings in the questionnaire form. 

Jill: Maybe we can refer to categories by number without throwing out the names. That’s sort of what we’re doing 
with topics already with the mismatch—topic table, right? 

Joe ： That’s right! We didn’t want to store a bunch of duplicate topic names in the mismatch_response table, so 
we put the topic names into the mismatch—topic table, and tied topics to responses with numeric keys. 

Frank: Are you saying we could solve the duplicate category name problem by creating a new category table? 


Jill: That’s exactly what he’s saying. We can create a new mismatch_category table where each category 
name is stored exactly one time. And then connect categories with topics using primary and foreign keys between 
mismatch topic and mismatch category. Brilliant! 
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normalizing your data 


Strive for a bit of normalcy 

The process of redesigning the Mismatch database to eliminate 
duplicate data and break apart and connect tables in a logical and 
consistent manner is known as normalization. Normalization 
is a fairly deep database design topic that can be intimidating. But 
it doesn’t have to be. There are enough simple database design 
techniques we can graft from the basics of normalization to make 
our MySQL databases much better than if we had just guessed at 
how data should be laid out. 


Here are some very broad steps you can take to begin the database 
design process that will naturally lead to a more “normal” database: 


Normalization means 


designing a database to 
reduce duplicate ctata and 





tke relationskips 



Pick your thing, the one thing you want a ^_ 〆 七 he 七 ㈣ 

table to describe. ^ ^ 

be about^ 


2. Make a list of the information you need to 
know about your one thing when you’re 
using the table. 


Wow will y ou usc 

ihisUle? - 


3. Using the list, break down the information 

about your thing into pieces you can use ^ you most casil .7 

for organizing the table. ' 蝴七 w’s -table? 


One fundamental concept in normalization is the idea of atomic 
data, which is data broken down into the smallest form that makes 
sense given the usage of a database. For example, the f irst—name 
and last—name columns in the Mismatch database are atomic in 
a sense that they break the user’s name down further than a single 
name column would have. This is necessary in Mismatch because 
we want to be able to refer to a user by first name alone. 


It might not always be necessary for an application to break a full 
name down into separate first and last columns, however, in which 
case name by itself might be atomic enough. So as you’re breaking 
down the “one thing” of a table into pieces, think about how the 
data is going to be used, not just what it represents. 


Atomic data is 
data tkat kas teen 
troken down into tke 
smallest iorm neeJcJ 
lor a given dataLase. 
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Whew normalizing, think m atoms 


To help turn your database design brainstorms into actions, it’s helpful to 
ask targeted questions of your data. This will help determine how the data 
fits into a table, and if it has truly been broken down into its appropriate 
atomic representation. No one ever said splitting the atom was easy, but 
this list of questions can help. 

1. What is the OI1G thing your 

table describes ?〜 n , L1 ,, 

^ ocs y ou<r "tabic desdv-ibe 
alieh sightings, email lisi 
subsdirip-tiohs, video gx high 
hopeless v-o^ahtids? 

2. How will you USG the table to ^ 

get at the one thing? ^ 祕 1 严 

^ ^ be easy to ^ucv-y! 




Making your data 
atomic is tke first 
step in creating a 
normal tatle. 



3. Do your Columns contain ^ daia \S Ohly as 

atomic data to make 〆 al — “ 

your queries short and to the point? 



Dumb Quest? 


9ns 


Should I try to break my data down into the tiniest pieces 
possible? 


A 


Not necessarily. Making your data atomic means breaking it 
down into the smallest pieces that you need to create an efficient 
table, not just the smallest possible pieces you can. 


Don’t break down your data any more than you have to. if you don’t 
need extra columns, don’t add them just for the sake of it. 


How does atomic data help me? 

It helps you ensure that the data in your table is accurate. 

For example, if you have a column for the street address of an 
alien sighting, you might want to break the street address into two 
columns: the number and the street. Then you can make sure that 
only numbers end up in the number column. 

Atomic data also lets you perform queries more efficiently because 
the queries are easier to write, and take a shorter amount of time to 
run, which adds up when you have a massive amount of data stored. 
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virtues of normalization 


Why be normal really? 


If all this talk about nuclear data and normalcy seems a bit overkill 
for your modest database, consider what might happen if your web 
application explodes and becomes the next “big thing.” What if your 
database grows in size by leaps and bounds in a very short period of time, 
stressing any weaknesses that might be present in the design? You’d rather 
be out shopping for your new dot-com trophy car than trying to come 
up with a retroactive Band-aid fix for your data, which is increasingly 
spiraling out of control. You yearn for some normalcy. 


If you still aren’t convinced, or if you’re stuck daydreaming of that 
canary yellow McLaren, here are two proven reasons to normalize your 
databases: 


Normalization kas 
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improvements in 
database size and 


speecL 


l ifornol won't have duplicate data, 
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Huge bloated database bad... 
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Three steps to a normal database 


You’ve pondered your data for a while and now have a keen appreciation 
for why it should be normalized, but general ideas only get you so far. 
What you really need is a concise list of rules that can be applied to any 
database to ensure normalcy... kinda like a checklist you can work through 
and use to make sure a database is sufficiently normal. Here goes: 

o Make sure your columns are atomic. 

For a column to truly be atomic, there can’t be 
several values of the same type of data in that 
column. Similarly, there can’t be multiple columns 
with the same type of data. 



Normalizing a O 
database involves 


strictly aetkeringf ❹ 
to a series oi 


design steps. 
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love 

hate 

cowboy boots, long hair, 
reality TV, easy listening 
music, the opera 

tattoos, gold chains, 

body piercings, 
professional wrestling, 
horror movies 


tattoos, gold chains, body 

piercings, cowboy boots, 
long hair, professional 
wrestling, horror movies 

reality TV, easy listening 

music, the opera 

_^ ---- 


Scvcval values o-f the same type o-f 

data ih the same a^d 

thcv-C 3\re also multiple dolumhS 
with ihe same data … big problem/ 


o Give each table its own primary key. 

A primary key is critical for assuring that data in a 
table can be accessed uniquely. A primary key should 
be a single column, and ideally be a numeric data 
type so that queries are as efficient as possible. 


username password | ••• 


dierdre 

08447b … 


baldpaul 

230dcb … 


jnettles 

e511 d7... 


rubyr 

062e4a... 


theking 

b4f283... 



七 a pv-imavy key, 

^ - - 七 Vive’S ⑽ way -to cr\su\rc 

uy\i<\uer\ess 

\roy/s m *tWis -tdblc- 



❺ Make sure non-key columns aren’t 
dependent on each other. 

This is the most challenging requirement of 
normal databases, and one that isn’t always worth 
adhering to strictly. It requires you to look a bit 
closer at how columns of data within a given table 
relate to each other. The idea is that changing the 
value of one column shouldn’t necessitate a change 
in another column. 
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normalize the mismatch database 



E%eftci$e 


The Mismatch database is in need of a normalization overhaul to solve the problem of duplicate 
category names. Given the existing database structure, sketch a modified design that solves the 
duplicate category problem, eliminating the risk of data entry errors. Make sure to annotate the 
design to explain how it works. 


mismatch user 


user id ^ If 


username 


password 


join date 


first name 


last name 


gender 


birthdate 


state 


picture 
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Dumb Questions 

How do I go about applying the third normalization step to Mismatch to fix the 
hypothetical city/state/ZIP problem? 

The solution is to break out the location of a user into its own table, and then 
connect the mismatch_user table to the new table via a foreign key. So you 
might create a table called mismatch—location that has a primary key named 
location_id, along with columns to store the city and state for a user, for example. 
Then the city and state columns are removed from mismatch_user and 
replaced with a location—id foreign key. Problem solved! What makes this design 
work is that the location_id column actually uses the ZIP code as the primary key, 
alleviating the non-key dependency problem. 

Geez, that seems like a lot of work just to meet a picky database design 
requirement. Is that really necessary? 

Yes and no. The first two normalization steps really are non-negotiable because 
atomic data and primary keys are critical to any good database design. It's the third step 
where you enter the realm of weighing the allure of an impeccable database design 
against the practical realities of what an application really needs. In the case of the 
Mismatch city/state/ZIP problem, it's probably worth accepting for the sake of simplicity. 
This isn’t a decision that should be taken lightly, and many database purists would argue 
that you should rigidly adhere to all three normalization steps. The good news is that the 
ZIP code column is purely hypothetical, and not actually part of the mismatch—user 
table, so we don’t really have to worry about it. 

Even without the ZIP code column, wouldn’t city and state need to be moved 
into their own tables to meet the third normalization step? 

Possibly. It’s certainly true that you will end up with duplicate city/state data in the 
mismatch_user table. The problem with breaking out the city and state without a 
ZIP code is that you would have to somehow populate those tables with every city and 
state in existence. Otherwise users would no doubt misspell some cities and you’d still end 
up with problematic data. This is a good example of where you have to seriously weigh the 
benefits of strict normalization against the realities of a practical application. 

An interesting possible solution that solves all of the problems is to use a ZIP code in the 
mismatch_user table instead of a city and state, and then look up the city and state 
from a static table or some other web service as needed. That’s more complexity than we 
need at the moment, so let’s just stick with the city and state columns. 
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the mismatch database 一 now normalized! 



The Mismatch database is in need of a normalization overhaul to solve the problem of duplicate 
category names. Given the existing database structure, sketch a modified design that solves the 
duplicate category problem, eliminating the risk of data entry errors. Make sure to annotate the 
design to explain how it works. 
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How exactly does the new mismatch—category 
table solve the duplicate data problem? 

The new table separates category names from the 
mismatch_topic table, allowing them to be stored by 
themselves. With categories stored in their own table, it’s no 
longer necessary to duplicate their names—you just have a row for 
each category, and these rows are then referenced by rows in the 
mismatch—topic table. This means that category rows in the 
mismatch_category table have a one-to-many relationship 
with topic rows in the mismatch topic table. 


So does that mean the mismatch_category table 
only has five rows, one for each category? 
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Indeed it does: 
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Altering the Mismatch database 

In order to take advantage of the new schema, the Mismatch database 
requires some structural changes. More specifically, we need to create a 
new mismatch—category table, and then connect it to a new foreign 
key in the mismatch—topic table. And since the old category 
column in the mismatch—topic table with all the duplicate category 
data is no longer needed, we can drop it. 

Cv-catc the hew datcgo\ry -table 

CREATE TABLE mismatch 一 category ( "that will hold hdmes 

by themselves. 


category—id 工 NT NOT NULL AUTO_INCREMENT, 
name VARCHAR(48) NOT NULL, 

PRIMARY KEY (category id) 
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ALTER TABLE mismatch_topic 
DROP COLUMN category 



ALTER TABLE mismatch_topic 

ADD COLUMN category id 工 NT NOT NULL 
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The new mismatch_category table must be populated with 
category data, which is accomplished with a handful of INSERT 
statements. 

INSERT INTO mismatch 一 category (name) VALUES ('Appearance') 
INSERT INTO mismatch 一 category (name) VALUES ( 1 Entertainment') 
INSERT INTO mismatch 一 category (name) VALUES ('Food') 

INSERT INTO mismatch 一 category (name) VALUES ( 1 People') 

INSERT INTO mismatch 一 category (name) VALUES ('Activities') 

The new category—id column must then be populated with 
data to correctly wire the category of each topic to its appropriate 
category in the mismatch 一 category table. 

UPDATE mismatch—topic SET category_id = 3 ^ 

TVis ID should i\\t au*to- 


WHERE name 


'Martinis 


-fvom {}\t misma 七 A 一乙 *table. 
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test drive the normalized mismatch tables 




Tesr DriVq 


Create and populate the new mismatch 一 category database table. 

Using a MySQL tool, execute the CREATE TABLE SQL command on the previous page 
to add a new table named mismatch_category to the Mismatch database. Then issue 
the INSERT statements to populate the table with category data. Now run the two ALTER 
statements to modify the mismatch—topic table so that it has a category_id column. 
Finally, UPDATE each row in the mismatch—topic table so that its category_id 
column points to the correct category in the mismatch_category table. 

Now run a SELECT on each of the tables just to make sure everything checks out. 


So is Mismatch really normal? 


Yes, it is. If you apply the three main rules of normalcy to each of the 
Mismatch tables, you’ll find that it passes with flying colors. But even 
if it didn’t, all would not be lost. Just like people, there are degrees of 
normalcy when it comes to databases. The important thing is to attempt 
to design databases that are completely normal, only accepting something 
less when there is a very good reason for skirting the rules. 


o Make sure your columns are atomic, 
o Give each table its own primary key. 

❺ Make sure non-key columns aren’t 
dependent on each other. 
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Doesn*t the new Mismatch 
table design affect the 
queries that are being made in 
the questionnaire script code? 


mismat<h cafegory 


category 一 id 0 "V 


name 







// Grab the response data from the database to generate the form 
$query = ” SELECT response—id, topic—id, response FROM mismatch—response 

"WHERE user—id = '" . $_SESSION['user_id '].； 

$data = mysqli—query($dbc, $query); 

$responses = array(); 

while ($row = mysqli—fetch—array($data)) { . 

// Look up the topic name for the response from the topic table 
$query2 = "SELECT name, category FROM mismatch—topic ” . 

"WHERE topic—id = '" . $row['topic—id ']."'"' 

$data.2 = mysqli_query ($dbc A $query2), 

if (mysqli_num_rows($data2) == 1) { 

$row2 = mysqli 一 fetch — array($data2)’ 

$row['topic_name'] = $row2['name *]; 

$row['category—name'] = $row2['category']; 
array push($responses, $row); 



Yes. In fact, most structural database changes require 
us to tweak any queries involving affected tables. 


questionnaire.php 


In this case, changing the database design to add the new mismatch_ 
category table affects any query involving the mismatch—topic 
table. This is because the previous database design had categories 
stored directly in the mismatch—topic table. With categories broken 
out into their own table, which we now know is a great idea thanks to 
normalization, it becomes necessary to revisit the queries and code them 
to work with an additional table (mismatch_category). 
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there must be a better way to perform queries! 


A query within a query within a query." 

One problem brought on by normalizing a database is that queries often 
require subqueries since you’re having to reach for data in multiple tables. 
This can get messy. Consider the new version of the query that builds the 
response array to generate the Mismatch questionnaire form: 


More tables usually 
lead to messier queries. 


// Grab the response data from the database to generate the form 
$query = "SELECT response 一 id, topic_id, response FROM mismatch response 
"WHERE user—id = ,n . $—SESSION['user—id'] . n,n ; 

$data = mysqli—query($dbc, $query); 

$responses = array(); 

while ($row = mysqli_fetch array($data)) { 

// Look up the topic name for the response from the topic table 
$query2 = "SELECT name, category_id FROM mismatch 一 topic M . 

"WHERE topic_id = ,n . $row['topic—id'] . n ▼"; 

$data2 = mysqli—query($dbc, $query2); 
if (mysqli_num_rows($data2) == 1) { 

$row2 = mysqli—fetch array($data2); 

$row['topic 一 name'] = $row2['name']; 

// Look up the category name for the topic from the category table 
$query3 = "SELECT name FROM mismatch 一 category M . 

'WHERE category_id = ,n . $row2['category_id'] . n,n ; 

$data3 = mysqli—query($dbc, $query3); 
if (mysqli num—rows($data3) == 1) { 

$row3 = rj^qli—fetch—array ($data3); 

$row['c»tegory_name'] = $row3['name']; 
array g/Gsh ($responses, $row); 
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tables 

Uf s a" join -hands 


Yikes! Gan anything be done about all those nested queries? The solution 
lies in an SQL feature known as a join, which lets us retrieve results from 
more than one table in a single query. There are lots of different kinds 
of joins, but the most popular join, an inner join, selects rows from two 
tables based on a condition. In an inner join, query results only include 
rows where this condition is matched. 


A join g[rats results 
Irom multiple tables 
in a single cjuery. 


— — 


SELECT mismatch 一 topic.topic—id, mismatch 一 category.name 
FROM mismatch topic 
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This inner join successfully merges data from two tables that would’ve 
previously required two separate queries. The query results consist of 
columns of data from both tables. 
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using dot notation 

A with 
Connect dots 






Since joins involve more than one table, it’s important to be clear about 
each column referenced in a join. More specifically, you must identify 
the table for each column so that there isn’t any confusion — tables often 
have columns with the same names, especially when it comes to keys. Just 
preface the column name with the table name, and a dot. For example, 
here’s the previous INNER JOIN query that builds a result set of topic 
IDs and category names: 

十 ,^ • This is the o( the 匕 olurwh 

T hi S x ir amC Thc doi， wilhi, the table, 

c by b dot (peviod) 

SELECT mismatch 一 topic .’topic—id, mismatch 一 category • name ^ ay\ 0 "t^CV" "tdWc/ 

FROM mismatch 一 topic 

uses 佚 c do 七 ⑽ Ub 

INNER JOIN mismatch—category 

ON (mismatch topic.category id = mismatch category.category id) 


Dot notation allows 
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to witkin a join. ^ 1 
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Without the ability to specify the tables associated with the columns in this 
query, we’d have quite a bit of ambiguity. In fact, it would be impossible 
to understand the ON part of the query because it would be checking to 
see if the category_id column equals itself, presumably within the 
mismatch_topic table. For this reason, it’s always a good idea to be 
very explicit about identifying the tables associated with columns when 
building JOIN queries. 
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Surely we can do more with inner joins 


Inner joins don’t stop at just combining data from two tables. Since 
an inner join is ultimately just a query, you can still use normal query 
constructs to further control the results. For example, if you want to 
grab a specific row from the set of joined results, you can hang a WHERE 
statement on the INNER JOIN query to isolate just that row. 

SELECT mismatch 一 topic•topic—id, mismatch 一 category.name 
FROM mismatch—topic 
INNER JOIN mismatch 一 category 

ON (mismatch—topic.category 一 id = mismatch 一 category.category 一 id) 
WHERE mismatch topic.name = 'Horror movies' 


An INfNfER JOIN 

combines rows from 
two tables using 
comparison operators 
in a condition. 


So what exactly does this query return? First remember that the WHERE 
clause serves as a refinement of the previous query. In other words, it 
further constrains the rows returned by the original INNER JOIN 
query . As a recap, here are the results of the inner join without the 
WHERE clause: 
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The WHERE clause has the effect of whittling down this result set to a 
single row, the row whose topic name equals ' Horror movies '. We 
have to look back at the mismatch topic table to see which row this is. 
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simplifying queries with the USING statement 



So a WHERE clause lets you constrain the results of a 
JOIN query based on rows in one of the joined tables? 

That’s correct. Keep in mind that the actual comparison taking 
place inside a WHERE clause applies to the original tables, not 
the query results. So in the case of the Mismatch example, the query 
is retrieving data from two different tables that match on a certain 
column that appears in both tables (category_id), and then 
only selecting the row where the name column in mismatch_ 
topic is a certain value (' Horror movies '). So the 
INNER JOIN takes place with respect to the category—id 
column in, both tables but the WHERE clause refines the results 
using only the name column in the mismatch topic table. 


Could the WHERE clause in the Mismatch JOIN query be 
based on the mismatch—category table instead? 

Absolutely. The WHERE clause can restrict query results 
based on either of the tables involved in the join. As an example, the 
WHERE clause could be changed to look only for a specific category, 
like this: 

...WHERE mismatch 一 category.name = 'Entertainment' 

This WHERE clause limits the result set to only include topics that 
fall under the Entertainment category. So the WHERE clause doesn’t 
affect the manner in which the tables are joined, but it does affect the 
specific rows returned by the query. 


Simplifying ON with USIN& 

Remember that our goal is to simplify the messy Mismatch queries with 
INNER JOIN. When an inner join involves matching columns with 
the same name, we can further simplify the query with the help of 
the USING statement. The USING statement takes the place of ON in an 
INNER JOIN query, and requires the name of the column to be used in 
the match. Just make sure the column is named exactly the same in both 
tables. As an example, here’s the Mismatch query again: 


Rewrite OV witk 

USING for more 

concise inner join 
queries tkat matcli 
on a common column. 


SELECT mismatch 一 topic•topic_id, mismatch 一 category•name 
FROM mismatch 一 topic 
INNER JOIN mismatch 一 category 
ON (mismatch topic.category id = mismatch category.category id) 


0 ^ 

dolumy\S is 七 he sa^C - or\ly 
tables avc diWerent 


WHERE mismatch_topic.name = 'Horror movies' 

Since the ON part of the query relies on columns with the same name 
(category—id), it can be simplified with a USING statement: 

SELECT mismatch 一 topic.topic_id, mismatch 一 category.name 
FROM mismatch 一 topic 

_ AH that is \rc<\ui\rcd is the 

INNER JOIN mismatch—category ^ ^ 仏 |_ 心 ， ho ^ 

USING (category_id) - 二 . 


Tke column names 
must he tltie same 
in order to use tke 
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WHERE mismatch_topic.name = 'Horror movies 
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Nicknames for tables and columns 


Our INNER JOIN query just keeps getting tighter! Let’s take it one step 
further. When it comes to SQL queries, it’s standard to refer to table and 
columns by their names as they appear in the database. But this can be 
cumbersome in larger queries that involve joins with multiple tables — the 
names can actually make a query tough to read. It’s sometimes worthwhile 
to employ an alias, which is a temporary name used to refer to a table or 
column in a query. Let’s rewrite the Mismatch query using aliases. 

The todt 3 bi*t 
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An alias allows you 
to rename a table 
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Are aliases only good for writing more compact queries? No, there are 
some situations where they’re downright essential! A join that would be 
quite handy in the Mismatch application is retrieving both the topic name 
and category name for a given topic ID. But the mismatch 一 topic 
and mismatch—category tables use the same column name (name) 
for this data. This is a problem because the result of combining these 
two columns would leave us with ambiguous column names. But we can 
rename the result columns to be more descriptive with aliases. 

SELECT mt.name AS topic_name, me.name AS category 一 name 
FROM mismatch 一 topic AS mt The selected 匕 olurnhS 

how aliased with 

… 。代 deWiptive ha^es. 


INNER JOIN mismatch 一 category AS me 
USING (category_id) 

WHERE mt.topic id = 'll' 
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rewriting the queries with joins 


Joins to the rescue 

So joins make it possible to involve more than one table in a query, 
effectively pulling data from more than one place and sticking it in a single 
result table. The Mismatch query that builds a response array is a perfect 
candidate for joins since it contains no less than three nested queries for 
dealing with multiple tables. Let’s start with the original code: 


Joins are more 
eiiicient and 
require less code 
titan nestect queries. 


// Grab the response data from the database to generate the form 
$query = M SELECT response—id, topic_id, response FROM mismatch response 
"WHERE user_id = ,n . $_SESSION['user—id'] . n,n ; 

$data = mysqli—query($dbc, $query); 

$responses = array(); 

while ($row = mysqli_fetch array($data)) { 

// Look up the topic name for the response from the topic table 
$query2 = M SELECT name, category_id FROM mismatch 一 topic 
'WHERE topic_id = ,n . $row['topic_id'] 

$data2 = mysqli—query($dbc, $query2); 
if (mysqli_num_rows($data2) == 1) { 

$row2 = mysqli 一 fetch array($data2); 

$row['topic name’] = $row2['name']; 


// Look up the category name for the topic from 
$query3 = "SELECT name FROM mismatch 一 category M 
"WHERE category_id = . $row2['category_id'] 

$data3 = mysqli—query($dbc, $query3); 
if (mysqli_num_rows($data3) == 1) { 

$row3 = mysqli 一 fetch array($data3); 

$row['category 一 name'] = $row3['name']; 
array push($responses, $row); 
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And here’s the new version of the code that uses a join: 
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// Grab the response data from the database to generate the form 
$query = M SELECT response 一 id, topic_id, response FROM mismatch response 
"WHERE user_id = ' M . $_SESSION['user—id'] . n,n ; 

$data = mysqli—query($dbc, $query); 

$responses = array(); 

while ($row = mysqli_fetch array($data)) { 

// Look up the topic and category names for the response from the topic and category tables 
$query2 = M SELECT mt.name AS topic_name, me.name AS category—name 
"FROM mismatch topic AS mt M . 

’’INNER JOIN mismatch 一 category AS me USING (category_id) 

"WHERE mt.topic_id = ,n . $row['topic_id'] 

$data2 = mysqli—query($dbc, $query2); 
if (mysqli_num_rows($data2) == 1) { 

$row2 = mysqli—fetch array($data2); 

$row['topic 一 name'] = $row2['topic 一 name']; 

$row['category 一 name'] = $row2[ 1 category—name▼] 
array push($responses, $row); 
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I don’t get it, you still have an extra 
query that looks up the category 
name. If joins are so great, why do 
you still need two queries? 


We don’t still need two queries, at least not if we use 
joins to their full potential. 

It is possible to join more than two tables, which is what is truly required 
of the Mismatch response array code. We need a single query that 
accomplishes the following three things: retrieve all of the responses for 
the user, get the topic name for each response, and then get the category 
name for each response. The new and improved code on the facing 
page accomplishes the last two steps in a single query involving a join 
between the mismatch—topic and mismatch—category tables. 
Ideally, a single query with two joins would kill all three birds with one 
big join-shaped stone. 



ExeftclSe 


Following is code that is capable of retrieving response data from the database with one query, thanks 
to the clever usage of joins. Be clever and write the SQL query that does the joining between the 

mismatch response, mismatch topic, and mismatch category tables. 


// Grab the response data from the database to generate the form 
$query = 


$data = mysqli—query($dbc, $query); 
$responses = array(); 

while ($row = mysqli 一 fetch array($data)) { 

array 一 push($responses, $row); 
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exercise solution and no dumb quesf/ons 



Following is code that is capable of retrieving response data from the database with one query, 
thanks to the clever usage of joins. Be clever and write the SQL query that does the joining 
between the mismatch_response, mismatch_topic, and mismatch_category 
tables. 


// Grab the response data from the database to generate the form 

$q : ery = W . : . The Usi\o^ 

AS 七 opk 一的 ame, mdAS f - 七 ^ 七 opid table 'm*to 
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$data = mysqli—query($dbc, $query); 
$responses = array(); 

while ($row = mysqli 一 fetch array($data)) 
array push ($responses, $row); 
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result 
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What other kinds of joins are there? 

Other types of inner joins include equijoins, non-equijoins, and 
natural joins. Equijoins and non-equijoins perform an inner join based 
on an equality or inequality comparison, respectively. You’ve already 
seen several examples of equijoins in the Mismatch queries that 
check for matching topic—id and category—id columns. 
Since the matching involves looking for “equal” columns (the same 
ID), these queries are considered equijoins. 

Another kind of inner join is a natural join, which involves comparing 
all columns that have the same name between two tables. So a 
natural join is really just an equijoin, in which the columns used to 
determine the join are automatically chosen. This automatic aspect 
of natural joins makes them a little less desirable than normal inner 
joins because it isn’t obvious by looking at them what is going on— 
you have to look at the database structure to know what columns are 
being used in the join. 


So all SQL joins are really just variations of inner joins? 

No, there are lots of other joins at your disposal. The other 
major classification of joins is collectively called outer joins, but 
there are several different kinds of joins that are considered outer 
joins. There are left outer joins, right outer joins, full outer joins, and 
the seldom used but awe-inspiring triple helix ambidextrous join. OK, 
that last one isn’t a real join, but it should be! The basic idea behind 
an outer join is that rows in the joined tables don’t have to match in 
order to make it into the join. So it’s possible to construct outer joins 
that always result in rows from a table being selected regardless of 
any matching conditions. 

Outer joins can be just as handy as inner joins, depending on the 
specific needs of a database application. To learn more about the 
different kinds of joins and how they are used, take a look at 
Head First SQL. 
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Tesr DriVq 


Revamp the Questionnaire script to grab the user’s response data 
with a single query. 

Modify the questionnaire . php script to use inner joins so that the queries that grab the 
user’s response data are handled in a single query. Upload the new script to your web server, 
and then navigate to the questionnaire in a web browser. If all goes well, you shouldn’t notice 
any difference... but deep down you know the script code is much better built! 
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time to play matchmaker 



Mismatch now remembers user responses but it doesn’t 
yet do anything with them...like finding a mismatch! 

The collection of user response data only gets us halfway to a successful 
mismatch. The Mismatch application is still missing a mechanism for firing 
Cupid’s arrow into the database to find a love connection. This involves 
somehow examining the responses for all the users in the database to see who 
matches up as an ideal mismatch. 
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Figuring out an ideal mismatch sounds 
pretty complicated given all those 
categories, topics, and responses. Are 
you sure thafs really doable? 


It’s definitely doable; we just need a consistent 
means of calculating how many mismatched 
topics any two users share. 

If we come up with a reasonably simple way to calculate how many 
mismatched topics any two users share, then it becomes possible to 
loop through the user database comparing users. The person with 
the highest number of mismatches for any given user is that user’s 
ideal mismatch! 



+ 



Mismatch! 


Write down how you would go about calculating the “mismatchability” 
of two users using data stored in the Mismatch database: 
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the (mis)matchmaking logic 


Love is a numbers game 


If you recall, mismatch responses are stored in the mismatch_ 
response table as numbers, with 0,1， and 2 all having special meaning 
in regard to a specific response. 


? 


% 



Unknown = 0 Love 


0 

Hate = 2 


This is the data used to calculate a mismatch between two users, and 
what we’re looking for specifically is a love matching up with a hate or a 
hate matching up with a love. In other words, we’re looking for response 
rows where response is either a 1 matched against a 2 or a 2 matched 
against a 1. 
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We’re still missing a handy way in PHP code to determine when a 
mismatch takes place between two responses. Certainly a couple of if- 
else statements could be hacked together to check for a 1 and a 2, and 
then a 2 and a 1 ， but the solution can be more elegant than that. In either 
scenario, adding together the two responses results in a value of 3. So we 
can use a simple equation to detect a mismatch between two responses. 


If ResponseA + ResponseB = 3 , we kave a mismatcli! 

So finding a love connection really does boil down to simple math. That 
solves the specifics of comparing individual matches, but it doesn’t address 
the larger problem of how to actually build the My Mismatch script. 
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Five steps to a successful mismatch 

Finding that perfectly mismatched someone isn’t just a matter of 
comparing response rows. The My Mismatch script has to follow a set 
of carefully orchestrated steps in order to successfully make a mismatch. 
These steps hold the key to finally satisfying users and bringing meaning to 
their questionnaire responses. 


Grab the user’s responses from the 
’ mismatch—response table，making sure 
to join the topic names with the results. 


Initialize the mismatch search results ， 
'p including the variables that keep up 
with the “best mismatch/’ 


Loop through the user table comparing 
other people’s responses to the user，s 
responses. This involves comparing 
responses for every person in the database 
to the user’s corresponding responses. A 
score” keeps up with how many opposite 
responses the user shares with each person. 


After each cycle through the loop, see if the 
current mismatch is better than the best 
mismatch so far. If so, store this on: as the 
new “best mismatch，，，making sure to store 
away the mismatched topics as well. 


Make sure a “best mismatch，，was found ， 
then query to get more information about 
the mismatched user, and show the results. 
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get user responses and initialize search results 


Prepare for the mismatch search 

Step 1 falls under familiar territory since we’ve already written some 
queries that perform a join like this. But we need to store away the user’s 
responses so that we can compare them to the responses of other users 
later in the script (Step 3). The following code builds an array, $user_ 
responses, that contains the responses for the logged in user. 


$query = "SELECT mr•response_id, mr.topic_id J 
AS topic__name ". 

"FROM mismatch—response AS mr ". 

’'INNER JOIN mismatch topic AS mt ". 


'▼USING (topic_id) ，， . 

"WHERE mr.user_id = ,n . $_SESSION[ 1 user_id 1 ] 
$data = mysqli—query($dbc, $query); 
$user_responses = array(); 
while ($row = mysqli—fetch—array($data)) 
array push($user responses, $row); 


mr.response A mt.name 


This ^ucv-y uses a JOIH 
^ all -the 
irespohscs -Pov- -the uscif. 


A y/Wile loof is used -to 50 
ea 乩 \ro>w o-f 

V"CSul*bs； buildmj 3^ 3V"V-ay o-f 
usev" vcspor\scs m ^fyoCtss. 


灼七 his loop -finishes, -the 
fusc\r — vcspo^scs a\rray will hold 
all o( -the “sear’s \rcspo^scs. 


tl Grab the user，s responses from the 

taWe ，making sure 


to join the topic names withS^ 


results. 


Step 2 of the My Mismatch script construction process involves setting up 
some variables that will hold the results of the mismatch search. These 
variables will be used throughout the My Mismatch script as the search for 
the best mismatch is carried out: 

$mismatch score = 


This is the usc\r ID of the 
who is bcihj 

办 3 potential rwisrwa-Uh... 

wkh the sca\rdh is 

this vav-iablc holds the ID o^f 
the best rwisrwat^li. 


$mismatch_user_id = -1; 
$mismatch topics = array(); 


This variable holds the 
'Store bctv/CCh "two USCV-S — -the 

highest sdo\rc ul-timatcly v-csults i 
a ruisruatdli. 


m 



TKis av-vay Isolds *topks 

av-c mismd-UKed brUc ⑼ *tv/o usevs. 


|-f this vaviablc is siill sc*t *to -I a-P*tcv 
*thc k^ow •theve a 

misma 七^一 七 iVis only 

y\o o*thcv* usev-s have a 灼 swcv"cd 
<\ucs*tio^r>aiv*c, whidh is vevy unlikely. 


Initialize the mismatch search results, 
including the variables that keep up 
with the M best mismatch/’ 
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Compare users for "mismatchiwcss" 


The next mismatching step requires looping through every user, and 
comparing their responses to the responses of the logged in user. In 
other words, we’re taking the logged in user, or mismatcher (Sidney, 
for example), and going through the entire user table comparing 
her responses to those of each mismatchee. We’re looking for the 
mismatchee with the most responses that are opposite of the mismatcher. 


Where to begin? How about a loop that steps through the $user_ 
responses array (mismatcher responses)? Inside the loop we compare 
the value of each element with comparable elements in another 
array that holds the mismatchee responses. Let’s call the second array 
$mismatch_responses. 

This a\r\ray holds \rcspo^scs -p\rorw 

lojjcd \Y\ usev, ihc rwisrwa-tdlicv. 


$user responses 


1 

1 

Hate 

Tattoo〆' 广' 

2 

2 

Hate 

Gold chains 

3 

3 

Hate 

Body piercings 

4 

4 

Love 

Cowboy boots 

5 

5 

Love 

Long hair 

6 

6 1 

Love 

Redlity TV 

7 

7 

Hate 

Professional 釔 restling 

8 

8 ( 

Hate ^ 

' Horror movies 




$mismatch 一 responses 


TVis av-v-ay holds \rcspor\scs 
-(■yow' uSCV* > 1 ^ 七 

da*babasc> m'isw>a*U^cc. 



幾 

rr 

Love 

— 

Tattoos 

77 

2 

Love 

Gold chains 

78 

~Tr 

Love 

Body piercinqs 

79 

-A 

Love 

Cowboy boots 

80 

5 屢 

Love 

Long hair 

81 

Jm 

-i- 

Hate 

Reality TV 

82 

g 

Love 

Professional wrestlinq 

83 1 

fs 

Love 

Horror movies 

M_ 

^IZZZ 



bo loof tV^csc two a^ays 

simultaneously, vcs^scs t) same 

b>^\cs b> see i-f art same o^r 


This a\nray as -the 

is -to 

di-PfcV'Ch't 


The challenge here is that we need a loop that essentially loops through 
two arrays at the same time, comparing respective elements one-to-one. A 
for each loop won’t work because it can only loop through a single array, 
and we need to loop through two arrays simultaneously. A while 
loop could work, but we’d have to create a counter variable and manually 
increment it each time through the loop. Ideally, we need a loop that 
automatically takes care of managing a counter variable so that we can 
use it to access elements in each array. 

while (•••){ 

Could vlo^Cbut r\oi 

c%ad*tly ideal- 
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introducing the for loop 


All we need is a FOR loop 


PHP offers another type of loop that offers exactly the functionality we 
need for the My Mismatch response comparisons. It’s called a for loop, 
and it’s great for repeating something a certain amount of known times. 
For example, for loops are great for counting tasks, such as counting 
down to zero or counting up to some value. Here’s the structure of a for 
loop, which reveals how a loop can be structured to step through an array 
using a loop counter variable ($i). 

Test condition 


/hitialiic the 
loop ^ouhtev -to a 
value bc-fov-c the 


Initialization 

Start the loop with 
the counter, $i, at 0. 


Only perform another loop 
cycle if the test evaluates to 
true, that is, if $i is less than 
the number of user responses. 


Update 

Update the loop counter 
by adding 1 to $i. 





} 


$i < count($user 一 responses); $i++) { 

\ 一 

* \ 丁 ^ tou 灼七 0 \rc*tuvr\s d 

Nv A 」 I . . I. Co\AY\i <Jc r\umbcv o-f elements 

、 ~ 巧 de flawed msidc scr vcs as 

^rly b 广 《 # 广 eW “如 Uf’s test 心 diW. 

thv-oujn tnc loop. 


N 

Update the loop 
by addiha 
I "to it - this is 

the 

I 

fi = 


same as sayih^ 
fi + /. 



E%eftciSe 


Step 3 of the My Mismatch script involves comparing two users by looping through each of their 
responses, and calculating a “score” based on how many responses are mismatched. Given the 
following pieces of data, finish writing the for loop that calculates this score. 


$user 一 responses 

The array of responses for the user. 


$mismatch—responses 

The array of responses for the 
potential mismatched user. 


for ($. 


if 


0; $i < count($user responses); $i++) { 


$score 


The mismatch score to be 
calculated inside the loop. 


array_push($topics, $user_responses[$i]['topic_name '])； 
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Why not just use a foreach loop to calculate the score 
instead of a for loop? 

Although a foreach loop would work perfectly fine for looping 
through all of the different responses, it wouldn't provide you with 
an index ($i) at any given iteration through the loop. This index is 
important because the code is using it to access both the array of user 
responses and the array of mismatch responses. A foreach loop 
would eliminate the need for an index for one of the two arrays, but not 
both. So we need a regular for loop with an index that can be used 
to access similar elements of each array. 

What’s the purpose of storing the mismatched responses in 
their own array? 

The array of mismatched responses is important in letting the 
users know exactly how they compared topically with their ideal 
mismatch. It's not enough to just share the identity of the ideal 
mismatch person—what is even better is also sharing the specific 
topics the user mismatched against that person. This helps give the 
mismatch result a little more context, and lets the users know a bit 
more about why this particular person is truly such a great mismatch 
for them. 

In Step 5 of the Mismatch script, how would there ever not 
be a best mismatch for any given user? 

Although unlikely, you have to consider the scenario where there 
is only one user in the entire system, in which case there would be no 
one else to mismatch that user against. 
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BceftctSe 

%oLpi\OH 


Step 3 of the My Mismatch script involves comparing two users by looping through each of their 
responses, and calculating a “score” based on how many responses are mismatched. Given the 
following pieces of data, finish writing the for loop that calculates this score. 


$user responses 


$mismatch 


responses 



l 

1 

Hate 

Tattoos 

2 

2 

Hate 

Gold chains 


3 

Hate 

Body piercings 

■ 擊讎 - : 釀 

1 

V 


4 

Love 

Cowboy boots 

5 

5 

Love 

Long hair 

6 

6 1 

Love 

Reality TV 

- 

7 

Hate 

Professional wrestling 

8 

8 

Hate 

Horror movies 

… 


— 76 


Love 

Tattoos 

—77 

_ ~ -- — 

2 

— 

Love 

__Gold chains_ 

•今 

3 

Love 

Body piercings 

79 

一 4 

Love 

- - - 

Cowboy boots 

80 

5 

Love 

_Long hair_ 


6 

Hate 

Reality TV 

82 

7 

Love 

- - - 

Professional wrestling 

Horror movies 

—83 

X 

Love 

--- 



$score 



丁 he sCort is 
-foV" 



Rcmcmbcv, the humbev of usev 
^•espohscs is the sanxc as -the 
:“饮 d io ? \Cs 

p … pohs« slight 

-the c^ucs-tiohhaiv-c. 


Tiic fsdo\rc variable cr\ds 
up bem^ nr\ *biiC ^ 
Uo m'lSma-UiiCs) {jo 七 
■total \r\uw\bcv" "topics 
(tomflctc misma 七 ^) • 



for ($i = 0; $i < count($user_responses); $i++) { 

if ( fuscv-^jrcspo^scsCfiJCVcs^o^sc^ + fmismatdh^jrcspo^scsCfiJCVcspo^sc^ 

f store +— I ； 

array push ($topics^user responses[$i] ['topic name '])； 




TKc loop tountev- is 
used *to s*tcp 
ed^K usev vcspoir\sc. 


Loop through the user table comparing 
other people’s responses to the user，s 
responses. 


h 

\ 


Hddli 七 dlied "(jopid 

,s ^dded {jo ah av-v-ay so 
it £ ， 3r\ be displayed 
"to "the usc\r wlieh 
^rcvcalihg -the r^is^a-tdh. 


/\ mismd-U^ Cov)S\sis of d 
love 0) ma*U^cd v/rUi a 
hate (2-), so addrn^ {\\tr^ 
-bo^mev always vcsults m 
3 ^ i-(* 'tiiCV'C is d w\iSm3*td.K. 
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Finishing the mismatching 

The shiny new loop that calculates a mismatch score is part of a larger 
script (mymismatch . php) that takes care of finding a user’s ideal 
mismatch in the Mismatch database, and then displaying the information. 


丁 his sd\ript -Pihds a 

k __ 



mymismatch.php 


// Only look for a mismatch if the user has questionnaire responses stored 
$query = "SELECT * FROM mismatch response WHERE user_id = "’ • $_SESSION['user_id 1 ] 


$data = mysqli query ($dbc, $query^^^_ ^ 咖卜 possible *t© fmd d m'lSmaU^ OV d USCV 
if (mysqli—num_rows ($data) != 0) { y/iio lids \rCS^o\r\dcd "to ^uCstioirM^ai'rC- 


// First grab the user's responses from the response table (JOIN to get the topic name) 


$query = "SELECT mr.response id, mr.topic id, mr.response, mt.name AS topic name 


o 


"FROM mismatch response AS mr M . 
n INNER JOIN mismatch 一 topic AS mt M . 

"USING (topic_id) M . 

"WHERE mr.user_id = "’ • $_SESSION['user id'] 
$data = mysqli—query($dbc, $query); 

$user responses = array (); 

while ($row = mysqli—fetch array($data)) { 

array push($user responses, $row); 


A -fsrwiliav* JOIH is used "fco 

代 "brieve the "topi 匕 hdme 

wheh S]£LBCTmg -the usev-^s 
«\ucsiiohhai\rc \rcspohSCS. 


The fusc\r__vcsp0hscs holds 


all of -the VCSpOhSCS 

// Initialize the mismatch search results 
$mismatch—score = 0; 

❺ $mismatch user_id = -1; 

$mismatch 一 topics = array() 


av-v-ay h 

-rov- 七 he 


USCV*. 


These vaviablcs keep iv-atk 

o( *thc mismatch scav-dh 3s 

•I 七 fvoycsscs. 
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the full mymismatch.php script 


// Loop through the user table comparing other people's responses to the user's responses 
$query = M SELECT user id FROM mismatch user WHERE user id != ' M . $ SESSION[ 1 user id']. 



$data = mysqli—query($dbc, $query); 
while ($row = mysqli—fetch array($data)) { 

// Grab the response data for the user (a potential mismatch) 


This 'uery yabs all 

七 uscvs 

USCV* bcur\^ 


TWis tuv-ly 
Watc 
mdv^ks *tV^c 
e 灼 d of 七 ^ 
rv\d'm >wWilc 

loop. 


$query2 = 11 SELECT response—id, topic_id, response FROM mismatch response 
"WHERE user—id = "’ • $row[ 1 user 一 id 1 ] . n,n ; 

$data2 = mysqli—query($dbc, $query2); 

$mismatch responses = array(); 
while ($row2 = mysqli—fetch array($data2)) { 
array push($mismatch responses r $row2); 


Pov* usc\r, this c^ucv-y 

gv*abs the ^ucs-tiohhaivc 

v-cspohscs -Po\r 

as a potchtial rwisma-Uh. 



// Compare each response and calculate a mismatch total 
$score = 0; 

$topics = array(); 

i < count ($user responses); $i++) { 


Hcvc^s -fov I oof 七 1 ^七 
tabulates sCort 

-fov a po 七⑼七 ial 


for ($i = 0; 

if (((int)$user responses [$i] ['response']) 




((int)$mismatch responses [$i] ['response']) 


-score 


array push($topics, $user responses [$i] ['topic name']) 


；TKc vcspor\sc C2.\ -fov c%arwflc) 



// Check to see if this person is better than the best mismatch so far 
if ($score > $mismatch 一 score) { 

// We found a better mismatch, so update the mismatch search results 


$mismatch 一 score = $score; 

$mismatch user_id = $row['user_id']; 
$mismatch 一 topics = array—slice($topics, 0) 

— ” 

This -fuy>d*tioir> d w sl'idc o-P By\ av"\ray- 

\y\ -this dase >wcVc jus*t usi% I 七 *to dopy i\\t 
f*tof'ids av*vay *m*to 


IA/cVc siill ihsidc that -first i-f 

s-ta-tcrwCh-t -fv-orw the pv-evious 
如 dl siill move Code - 


1( this usc\r is a bettev- 
rwisrwa-t^h "the best 
rwisr^a-t^h so (div, set 
hirw as the best misrwa-Uh. 
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Bc-fovc displav'm^ 

你伽 aW make contro1 y° ur data ， contro1 y° ur world 

suvc a U bcs*t 

- - y/ds actually *fou 灼 d. 

$query = "SELECT username, first name, last name, city, state, picture FROM mismatch user M , 


// Make sure a mismatch was found 
if ($mismatch user id != -1) { 



4 v the 

5:;: 卜 iw 一 


"WHERE user_id = '$mismatch user_id' M ; 

$data = mysqli—query($dbc, $query); 
if (mysqli_num_rows($data) == 1) { 

// The user row for the mismatch was found, so display the user data 
$row = mysqli 一 fetch array ($data); 
echo '<table><tr><td class= M label M >'; 

if (!empty($row['first_name']) && !empty($row['last_name'])) { 

echo $row['first name 1 ] . ' ' . $row['last name'] . '<br />'; 


Pisplay 


if (!empty($row['city']) && !empty($row['state'])) { 

echo $row['city'] . \ ' . $row['state'] . '<br / > 


Show the usc\r s 

^iy ay\d state. 


echo ' </tdxtd> '; 

if (! empty ($row [ ' picture ' ] ) ) { 


echo ' <img sre: 


MM UPLOADPATH . $row['picture'] 


alt= M Profile Picture" / ><br / > 


echo ' </tdx/tr></table> '; 


Po^*b -fovyb *to 
W\i\\ user's PidWcf 


count($mismatch topics) 


// Display the mismatched topics 
echo '<h4>You are mismatched on the following ' 
foreach ($mismatch 一 topics as $topic) { 

echo $topic . '<br / >'; i 仏 i 叶饮 *(^ 七 "to show 

} what "fcopids adiually 

^rcsulicd \y\ -the misrwa-Uh. 

// Display a link to the mismatch user's profile 

echo '<h4>View <a href=viewprofile.php?user_id=' . $mismatch user_id 

$row['first name'] . '\'s profile</a>.</h4>'; 


> 


else 


Pmally, fvovide a I'mk b> 

-tKc misrwa-Uiicd user's f\TO*filc 

so lo^cd m usev- dav> 

-p'md ou*t mov-c abou*t him. 


topics : </h4> 


echo '<p>You must first <a href= M questionnaire.php M >answer the questionnaire</a> before you can 


'be mismatched.</p> 
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make a mismatch! 




Tesr DriVq 


Find your perfect Mismatch! 

Modify Mismatch to use the new My Mismatch script (or download the application from 
the Head First Labs site at www. headfirst labs . com/boo ks/hfphp). This requires 
creating a new mymismatch . php script, as well as adding a “My Mismatch” menu item to 
the navmenu . php script so that users can access the script. 


Upload the scripts to your web server, and then open the main Mismatch page (index . php) 
in a web browser. Make sure you log in and have filled out the questionnaire, and then click 
the “My Mismatch” menu item to view your mismatch. 


Joiia^s /\z]y 

vcvcaU Sidney 
as his 
opfosi*tc- 




切 I Mfenw 







£1 


miw iBiwftiLLlnL! 


IiSwi. 


a ■ 


tf^TEcar rap-_„ 

ailrcnj ro. 

ia 

^pajxi 

tiAn 1 JSr h 

HI! 

Krrauoc* 




We re so different 
in all the right ways, 
what a babe. 


1 1 - nlmlrKn 


O 


o 


# 4 奮 ,_ u i —" Uy l j 


'1-cx.ElI^i 


I had no clue rd be so 
attracted, yet I can’t 
resist the Johan! 








o 


0 


CrOMrtllM 

BirtyfterrJip 

pinCMGrtrJi w-rerai( 
EfciKtf CWiaM 
pjm 'jHCldlf RfckiC 

lb^<of«ra 


Mtraa 

yili^K£ 

Clfce 


： 


HJU0 

Mrm i^l-1 






l/Vheh Sidney visi-ts 

the My /Wis^a-Uh 

fage, she sees Johah ； 

hcv- ideal rwisma-Uh. 


494 Chapter 8 











control your data, control your world 



Database Scliema Magnets 

Remember the Guitar Wars application from eons ago? Your job is to study the 
Guitar Wars database, which could use some normalization help, and come up 
with a better schema. Use all of the magnets below to flesh out the table and 
column names, and also identify the primary and foreign keys. 


T\\c database dvives 
i\\t display 
stores or\ mdm 



Wc\rc s the 

与 uita\r Wars da-bbase, 

whidh s-to\rcs high 
s^o\rcs that av-c 
submitted by usev-s. 


guitorwors 


date 


name 


score 


screenshot 


approved 



Hcvc^s v\t>N imfvovcd 
s£.Kemd you r\ccd *to build out 
如必七 he 州 … ^ood lutkf 
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Database Sckema Magnets Solution 

Remember the Guitar Wars application from eons ago? Your job is to study the 
Guitar Wars database, which could use some normalization help, and come up 
with a better schema. Use all of the magnets below to flesh out the table and 
column names, and also identify the primary and foreign keys. 


TV^c database drives 
i\\t display o-f 

stoves oy\ 
guitar lA/ars fay. 



T\\t table is miss'm^ 
a pv-imavy key, 

is a 灼 imfov*tar\*b 

pav*b a” 
^ov-mdliz^d da'tabasc- 


^ Sm 匕 e 

rwulti 


guifqrwars 


date 


nam?) 
score 
screenshot 

approved 


■the same us 饮 is capable Jc posting 

Itiple high scores, -the dolumh 

\rcsul-ts m rtd\AY\d^i daia .. Y\oi O^ood! 



The sdov*c__id 

匕 olurvm sewes ds 

d mudh needed 
p\ririf»a\ry key -fov- 
thc sdov*c "table. 


T\\t tables i^avc 
^dmes s\Ut sevve 
move speti-fit purposes. 






The sdovc 'tcible 
V-C-Pc\rCh^CS 

players via a 
>^cw -Pov-ci^h key. 


guitarwars—score 


L 


player_ 

" 

>J| 


date^| 

1 

scor e \ 


screenshot J 


approved | 




guitarwars player L 

❾ player—id | 

| 

J 

first name | 

- 1 

last_name k|^ - 


Bath playcv-^s 
r> 3 me is y\oyi 
bvokc^ doYJY\ m*bo 
-f'ivs*t dr>d bs*t 
v>amC *to be move 
dkpn\\t) ay>d i*t is 
or>ly s*bovcd or\Ct 
y>o Ko>/ 

mar>y stores 
•tKcy post 



A erne - *to - 
v-cla*t»o\r\sV)'if 
bc*t>/cc^ flaycv- 

dhd W 吵 shoves 



s 


Rcduhda^-t USCV- Y\Bn\C 

d^-ta is solved by tv-caii^g 
a -table ihai s-fcoves 
flayev- ir>a^cs, a^d thc^ 

匕 ojrme^ts "to -the store 

"t^blc "thvoujh d key. 


o Make sure your columns are atomic, 
o Give each table its own primary key. 

© Make sure non-key columns aren’t 
dependent on each other. 




The 今 urtav Wav-s database did^-t 
Kdve dv>y def ⑶ d ⑼七 dolumr\ pv-oblcms. 



Wcvc avc the \rulcs Ohc 
你。代 time, just -to make 
su\re you didn’t -Pov-yt^ 
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PHP&MySQLcross 

Concerned that your own perfect mismatch is still out 
there waiting to be found? Take your mind off it by 
completing this crossword puzzle. 



Across 

I. A representation of all the structures, such as tables and 
columns, in your database, along with how they connect. 

4. This happens when multiple rows of a table are related to 
multiple rows of another table. 

5. This allows you to convert between different PHP data types. 

7. Use this to combine results from one table with the results of 
another table in a query. 

10. The process of eliminating redundancies and other design 
problems in a database. 

II. You can shorten some if-else statements with this handy 
little operator. 

12. When one row of a table is related to multiple rows in 
another table. 


Down 

1. A join makes it possible to get rid of these. 

2. A column in a table that references the primary key of another 
table. 

3. When a form is generated from a database, it is considered 


6. It's not nuclear, it's just data in the smallest size that makes 
sense for a given database. 

8. Rows in two tables have this relationship when there is 
exactly one row in one table for every row in the other. 

9. One of these can help greatly in figuring out the design of a 
table. 

13. A temporary name used to reference a piece of information 
in a query. 
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PHP&MySQLcross Solution 
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Your PHP 备 MySQL Toolbox 

Quite a few new MySQL database 
techniques were uncovered in this 
chapter, not to mention a few new PHP 
tricks. Let’s do a quick recap! 


A s^emd is a vc\>vcscv>-ta*t*ioK> 

all -the stvudWs (tables, 
cU.) m vour database, alo 吒 ^ 

Koy ； -tKcy A dia^vam is a 

visual dc\>*i6t»oy> o-f youv- database, 

details about 

s?cdid 6olumK>s responsible -fov 
"tables. 


A^rrhaliz^ti 


toh 


^a\\z3hoy^ is £hc p^css of 

产 e 叫心 design ^ a debase 

^ >rtdut duplicate daia 
•• 外 … e — pladcmcht av^d 

^Wiohships bcWch daia. The 

pi is p^rodude a robust desia h 
tw holds up we || 9 ^owih 9 daia. 




Fovei^h jsey 

A dolumh ih a -table that is used 
*to lihk *thc "table *to ahothev- "table. 
A Wigh key ih a Md table 
■typically dohhCdis -to a pvima^y 
key ih a pa^rcht -table, rWWtively 

1 ’|焱叫 \rows bctwcch the -two 
iablcs. 


? : 

The tc\rha\ry operatov is a PHP 
dohsiv-udt that works like a v-cally 

dor^padi i-f-clsc s-taicr^cht. It 

is hahdy -for pe\rfo\r 州 ihg simple 

dhoides based oh a tv-uc/-falsc 

C 乂 pvessioh. 


XHHER JOIN 

丁一 ％ 二二广 

W 七 _ ^ CS W Vlke a ^mat 

户 :: 二 k 

:二二 身 

•taWes. 


for (•••) 

A — 減 k idcallv su\tcd 
|oo ? m 5 based a s ? e6\U 
⑽ d iWaWs. Create a 

-for loo^> bv m • 七汕 ㈣ a 一七二 
cstaWisWm^ a itsi toMo^ a^d 

be —Wd JW ⑽如 aW. 


AS name 

This S^L shic^chi establishes 

ah a,ias > W H_S a hamc used -to 
ideMy 3 pic dc ^ daia witu a 

n^y. Aliases a\rc C^fich used io 
， pli(y ^ucirics by shoirtchihg lohg 
^ klc 3hd 亡丄 _ hames. They 
also be used ^ 州如 e result daia 

卞 h the o\rigihal ia\)\c dolumh 

iSh， *t spedi 乙⑽吵 
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Better living through ♦ 

functions 



Functions take your applications to a whole new level. 

You’ve already been using PHP’s built-in functions to accomplish things. Now 
it’s time to take a look at a few more really useful built-in functions. And then 
you’ll learn to build your very own custom functions to take you farther than you 
ever imagined it was possible to go. Well, maybe not to the point of raising laser 
sharks, but custom functions will streamline your code and make it reusable. 


this is a new chapter 
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riskyjobs needs search functionality on its s/fe 


A good risky job is hard to find 

The Internet startup, Risk)Jobs.biz, is designed to help companies find 
the right people to fill their riskiest jobs. The business model is simple: for 
each risky job we can fill with the right candidate, we get a commission. 
The more successful matches, the bigger our profit. 

Riskyjobs needs help improving its site’s job-search functionality. Right 
now, there’s a database full of risky jobs just waiting to be discovered by 
the right people. Let’s take a look at the Riskyjobs search form and the 
underlying database of available jobs. 


丁 he Risky Jobs scav-^h 
•Po\nrw t\riggc\rs a 
° h the Hskyjobs -table 
that scathes -fov- 
Jobs. 



title 

Matador 
Paparazzo 
Shark Trainer 
Firefighter 
Voltage Checker 

Crocodile Dentist 

Custard Walker 
Electric Bull Repairer 


n n 




rtnrtJln*! jttb lh fti_E 

De Yflu hiivfl gut* gv find 

Rbiky Jobs - Stsirt-k 


Flaid your risky \ob\ 


f bubmit: 


This simple 
•Poirm ta\ls a s^vip-t 
仏 at scav-^hes -the 
riskyjobs -bblc. 



description 

Bustling dairy farm.. 
Top celebrity … 
Training sharks to do. 
The City of Dataville.. 
You’ll be out in the... 

Do you love animals.. 

We need people... 
Hards Honky Tonk... 


riskyjobs 

city 

Rutland 
Beverly Hills 
Orlando 
Dataville 
Durham 

Everglades City 
Albuquerque 
Hoboken 


The \riskyjobs tabic ^Ohtaihs 
job titles ahd desdvip-tiohs, 
alohg with lodatioh 
/ i^-ro^a-tioh ahd the pos-tmg 
/ dait o( job. 


company 

Mad About Milk Dairies 
Diva Pursuit, LLC 
SharkBait, Inc. 

City of Dataville 
Shock Systems, LLC 
Ravenous Reptiles 
Pie Technologies 
Hank^ Honky Tonk 


date_posted 

2008-03-11 10:51:24 
2008-03-24 10:51:24 
2008-04-28 03:12:45 
2008-05-22 12:34:17 
2008-06-28 11：16 
2008-07-14 10：51 
2008-07-24 10:54:05 
2008-07-27 11:22:28 


^acM job pos 七叫 IS 
u—uely by 

{\\t job_id pv-imavy key. 


Show the 
search results! 
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rm ready to live my dream and 
become a matador...but my Risky 
Jobs search is coming up empty! 


o 



ouv- -fcav-lcss 

*,s 'red because \\\s job 

stBrcM pv-odutmj a^y results. 



rpen your pencil 


When the Risky Jobs form is submitted, the search string is stored in 
the variable $user_search, which is plugged into the following 
SQL query to do the actual searching. Write down how many rows 
in the riskyj obs database on the facing page will be found as a 
result of Ernesto’s search. 


$search query 


SELECT job id, title, state, description FROM riskyj obs 


"WHERE title = *$user search 


$result 


mysqli_query($dbc. 


$search_query); 

1/Vvi*tc you\r 
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we need our queries to be more flexible 



en your pencil 
Solution 


二 mcav^ 七 V^a 七 七 … 0 

5 七 — s fee” 6 叫⑽ d 
must 


$search query 



When the Risky Jobs form is submitted, the search string is stored in 
the variable $user_search, which is plugged into the following 
SQL query to do the actual searching. Write down how many rows 
in the riskyj obs database on page 502 will be found as a result 
of Ernesto’s search. 

"This vd\ridblc y/li^cvcy 

is Chtcvcd ih-to -the text box. 


SELECT job id^/title, state, description FROM riskyj obs 



^WHERE title — '$user_search' M 
$result = mysqli 一 query($dbc, $search query); 


nddd! Tlic problem is 
七 1^ 七 ouv ^UCV'Y is *too e 乂 adt” 
一七 CY\itrtd by 

uSCV" mus*t 


O 


The search leaves no margin for error 

The SELECT query in the Risky Jobs script is very rigid, only resulting in 
a match if the two strings being compared are identical. This presents a 
problem for our job search because people need to be able to enter search 
terms that match job listings even if the job title isn’t an exact match. 

Let’s go back to Ernesto’s search, which results in a query that searches 
the title column of the riskyj obs table for the text “Bull Fighter 
Matador ”： 

SELECT job—id, title, descr^^on FROM riskyj obs 

WHERE title = 'Bull Fighter Matador' 

The 二 ofevatov- v-c^uivcs ar\ ma 七 

^ Uo stvmy (or quality. 

See the problem? This query is only going to match rows in the table 
where the title column contains the exact text “Bull Fighter Matador”. 

The job with the title “Matador” isn’t matched, and neither are 
“Firefighter” or “Electric Bull Repairer”. OK, maybe it’s good those last 
two were missed, but the search still isn’t working as intended. And it’s not 
the mixed case that presents the problem (MySQL searches are by default 
case-insensitive), it’s the fact that the entire search string must be an 
exact match due to the equality (=) operator in the WHERE clause. 



丁 he cast o( the sca\rdh tcv-m 
doesjr /七 maiic\r because -the 
MySQL INHERE clause is 
^asc-ihschsitivc by dc-Pault. 
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SQL queries can be flexible with LIKE 

What we really need is a way to search the database for a match on any 
portion of a search string. SQL lets us do just that with the LIKE keyword, 
which adds flexibility to the types of matches returned by a WHERE clause. 
You can think of LIKE as a more forgiving version of the = operator. 

Take a look at the following query, which uses LIKE to match rows where 
the word “fighter” appears anywhere in the title column: 


SELECT job id, title, description FROM riskyjobs 


WHERE title LIKE 



kcyv/ovd 
you look -for maUVics i\\di 

same as 

七 y/ov*d a 灼 d 

still dasc-msc^sitivc. 


% fighter % 1 

The % sighs a\rc wildcards; they 
s-bhd ih -Po\r a^y othc\r dhav-adtev-s 
bcW o\r a-p-tev- -the word. 


LIKE makes it much easier to find matches, especially when you need 
to match the search string as part of a larger word or phrase. Check out 
these examples of strings that match up with the above query: 


Fir 


e(^ight^) 


Prize 


(Figtr 



(^ighS^nestoPlease 


LIKE clauses typically work in conjunction with 
wildcard characters, which are stand-ins for 
characters in the data we’re matching. In SQL, 
the percent sign (%) wildcard stands for any group 
of zero or more characters. Placing this wildcard 
in a query before and after a search term, as in 
the SELECT statement above, tells SQL to return 
results whenever the term appears somewhere in 
the data, no matter how many characters appear 
before or after it. 


Gee^B 形 - 

SQL has another wildcard character that can 
be used with LIKE. It’s the underscore [」，and 
it represents a single character. Consider the 
following LIKE clause: 

LIKE '_fighter% ' 


It’s saying: “Find the string “fighter” with any 
four characters in front of it, and any characters 
after it.” This would match ’’bullfighter” and 
“firefighter” but not u streetfighter ,5 . 
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riskyjobs code seft/p 



Time out! Take a moment to familiarize yourself with the Risky Jobs 
database... and try out a few searches. 

Download the riskyj obs . sql file for the Riskyjobs application from the Head First 
Labs web site at www. headf irstlabs . com/books/hfphp. This file contains SQL 
statements that build and populate the riskyj obs table with sample data. 

After you’ve executed the statements in riskyj obs . sql in a MySQL tool, try out a few 
queries to simulate job searches. Here are some to get you started. 


SELECT * FROM riskyjobs 


TWis sclct-b dll tolu^ns -fov 
all jobs m i\\t riskYjoks table. 


SELECT job_id, 
WHERE title = 


title, description FROM riskyj obs 
Bull Fighter Matador' - - 



This c^uevy girabs the job ID, 
"title, ahd dcs^v-iptioh -fov jobs 
广 ke the trtlc is exactly 
“Bull Figh-tcir /Wa-bdov w . 


SELECT job—id, title, description FROM riskyj obs 
WHERE description LIKE 1 %animals%' 


This ^ucv-y uses Ll^B 
"to -rihd \obs with the 
wo\rd animals a^ywhev- 
•m the job dcsd\rip-tioh. 



DoWnbcld it? 

The complete source code for the Riskyjobs 
application is available for download from the 
Head First Labs web site: 

www. headf irstlabs . com/books/hfphp 
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LIKE Clause Magnets 


A bunch of LIKE clauses are all scrambled up on the fridge. 
Can you match up the clauses with their appropriate results? 
Which magnets won’t be matched by any of the LIKE clauses? 


£owc 叫 V^avc 

Bv\svjcrs. 








Human Cannonball 
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LIKE clause magnets solution 



LIKE Clause Magnets Solution 

A bunch of LIKE clauses are all scrambled up on the fridge. Can 
you match up the clauses with their appropriate results? (Some 
may have multiple answers.) Which magnets won’t be matched by 
any of the LIKE clauses? 


ehdih^ ih 
r«a-(ihcs -this. 



Tiicv-c i^as *to be a 

• 七 his *to 你 at 乙 iv 




S 公 L ^ucv-ics av-c dasc- 
msc^sitivc, so wo^rds st^rt’nr^ 
W\i\\ lowercase or 

u^cv"d3sc 3V"C w>3*t4^cd by 

tWis ^cv-y. 



Cbsc doesh^t 



Ot\s oy\c tKsv*3d*bcv* 
a*f*tcv u do w . 



LIKE 1 %do 


丁 he lc"t"tcV"S 

ahywhc\rc give us a wUh. 



These a\rc the 
Uhrwol-Uhcd phv-olscs. 




This LI^B clause did^i 
have a^y matches. 



/ 


Politician 



508 Chapter 9 




































string and custom functions 


That last LIKE clause, LIKE '%Tipper Cow% 1 , 
doesn’t match anything because ''Tipper" and 、、 Cow 〃 
don't show up together as a phrase. It sure would 
be handy to break up search phrases into individual 
keywords and then search on each of the keywords. 

iivi ri h 


Riskj» Johm - Stsirch. 



ri ^yo»£riikv job: 

Tipper Ccw 
^ 'j(Jhrriit ' 


Ouv* scav-dh would >wovk mudh better 
J I 七 looked -Pov- w T*ifPc\r w av\d 、 U 、、 
•mdividualh/ mstcad o\ w T*iffcv CW 
as oY\t c%ad*t fhv-asc. 


Handy indeed! We just need to figure out how 
to match each of the individual keywords in the 
search phrase. 


Taking what people type in the Risky Jobs search field and matching it 
exactly won’t always work. The search would be much more effective 
if we searched on each search term entered, as opposed to searching 
on the entire search phrase. But how do you search on multiple terms? 
We could store each of the search terms in an array, and then tweak 
the SELECT query to search for each keyword individually. 
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the php explodef) function 


Explode a string into individual words 


To make Risky Jobs search functionality more effective, we need a way to 
break apart users’ search strings when they enter multiple words in the 
form field. The data our risky job seekers enter into the search form is 
text, which means we can use any of the built-in PHP string functions to 
process it. One extremely powerful function is explode () ， and it breaks 
apart a string into an array of separate strings. Here’s an example: 


Tke explodeO lunction 
treaks a string into an 
array oi substrings* 


TV>c e^lodeO WW cMo^s a s 七 vmg m*to 

a 於 3V"V3y subs*brmy bdsed oy\ a 

also as a dclimitcv". 

$search words = explode( 


The fsc«i\r^h__wo\rds variable 
how s-fco\rcs the av-v-ay o( 
seaah -tc\rms tha-t well thch 
*Pccd ih-fco dh £^L ^ucv-y. 


J WlS P^^r^c-tcv" is ihc 

text wc waht 'exploded.^ 

1 , ▼Tipper Cow 1 ); 

l TKis pav-amc*tcv- -tells c^flodcO v/Kai 

^ sepav-a-tes *tKc substvnr^s v/rtiVm m 

七 Wis cast a spade. You spcdi-fy or>C OV - rno\rc 
£.Kavat*tcv"s, av-c tailed *tKc dclim'i-tcv". 


The explode () function requires two parameters. The first is the 
delimiter, which is a character or characters that indicates where to 
break up the string. We’re using a space character as our delimiter, which 
means the search string is broken everywhere a space appears. The 
delimiter itself is not included in the resulting substrings. The second 
parameter is the string to be exploded. 


TKc s\>d^e dcl wtcv- 
6oy\*tv-ols Koy/ *tV^c 
s*tv»^5 ,s c^flodcd- 



Each subs-t\rih0 is 
sWd as a distih^-t 
3\r\ray clcmcht. 


Incorporating the array of search terms into Risky Jobs involves adding 
a line of code before we run the query on the Risky Jobs database. Now, 
if someone enters “Tipper Cow” into the search field, this code breaks it 
into two words and stores each word in an array ($search—words). 


$user_search = $_GET['usersearch *]; 

$search—words = explode(' ', $user_search); 


e 把 h wo\rd ih ^usc\r__scav-^h m av\ 
針 ay Jollied fsc«iv-^h__wov-ds. 
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■ 


In order to incorporate the exploded search terms into the Risky Jobs application, we have to 
plug each of the terms into an SQL select query using like and or. For example, here’s 
what a query would look like for Ernesto’s earlier search on “Bull Fighter Matador ”： 



IVcVc how sca^hihg -the job dcs^v-iptioh 
instead o( -the ti-tlc sihde -the dcs^iptioh 
has rwo\rc "to 


SELECT * FROM riskyjobs 


WHERE description LIKE '%Bull%' OR description LIKE 1 %Fighter%' OR 
description LIKE '%Matador%' 

Now suppose we used the following PHP code to attempt to assemble this query from the search 
data entered by the user into the Risky Jobs search form: 

$search query = "SELECT * FROM riskyjobs"; 


$where_clause 
$user search 


$ GET['usersearch']; 


$search_words = explode ( 1 *, $user_search) 

foreach ($search words as $word) { 


$where clause . 


description LIKE '%$word%' OR 


if (!empty($where_clause)) { 

$search 一 query .= " WHERE $where_clause" 


Write down the SQL query generated by this code 
when Ernesto enters “Bull Fighter Matador” as his 
search, and then annotate any problems you think 
it might have. 



: 石 ” v Jrai _ Fwsji ■故 
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exercise solution 



In order to incorporate the exploded search terms into the Risky Jobs application, we have to 
, # plug each of the terms into an SQL select query using like and or. For example, here’s 

EMRCISQ what a query would look like for Ernesto’s earlier search on "Bull Fighter Matador ”： 

SoLl/tlOH 

W 代 how sca\rdhih 9 the job dcsdv-iptioh 
ihslcad o( the title smdc the dcs^ipt.oh 
has rhO\rc ijvpowatloh "to wUh. 

SELECT ^ FROM riskyjobs 

WHERE description" LIKE '%Bull%' OR description LIKE '%Fighter%' OR 
description LIKE '%Matador%' 

Now suppose we used the following PHP code to attempt to assemble this query from the search 
data entered by the user into the Risky Jobs search form: 

$search 一 query = "SELECT * FROM riskyjobs '，； 

$where_clause = ' ' ; 

$user_search = $_GET [ ' usersearch' ] ; L|^g. clause tv\As v/rtii 

$ search words = explode (▼▼ , $user search) ; OR *to 

— -广 one, works ycat 

foreach ($search—words as $word) { v/ -fov 败 Y last erne. 

$where_clause .= " description LIKE 1 %$word% * OR "; 

} /Wake su\rc -the INHERE clause e 叶 *ty 

tc-Po\rc appChdihJ it -to -the sca\rdh <^ucv-y. 

興 o o 

if ( ! empty ($where_clause) ) { ^ … ^rch 

$search query .= " WHERE $where clause"; 

—— l 

} (_TW.S opciraW Couait^aits j 

oY\b> a^o*tV>cv s-tvm^. 电 

Kisk .V Jflhs- ^cartii 

Write down the SQL query generated by this code ■ ,,:ni5 > lc,l;r ri ^>>iK 

when Ernesto enters “Bull Fighter Matador” as his 
search, and then annotate any problems you think 
it might have. 

SELECT ^ P 娜 riskyjobs 

iVttERE dcsd\rij>*tioir\ LIKE OR dlcsd\rip-tioir\ L|^E OK 

dcs^\rip*tio^ LIKE 1 %Matado\r7o , (0^ — Treves av\ c%*tv-a OR a*b tv\d <^f 

*tV^ c^cv*y> make it "fa.il! 
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implodeH builds a string from substrings 


What we really need to do is only put OR between the LIKEs in our 
WHERE clause, but not after the last one. So how exactly can that be 
done? How about a special case inside the loop to see if we’re on the last 


search term, and then not include OR for that one? That would work but 
it’s a little messy. A much cleaner solution involves a function that does the 
reverse of the explode () function. The implode () function takes an 
array of strings and builds a single string out of them. 


This is -the ddirni-tcv- "that 

,s bctwcch cadh o( 

tk stirihgs whch they 

ohC. 


$where clause = implode(▼ OR ▼, $where list) 


/ 丁 k irwplodcO -Puh^tioh 

V*ctu\rhS B sih^lc s*t\rihg. 


But how does that help the dangling OR problem in our query? Well, 
implode () lets you specify a delimiter to stick between the strings when 
combining them together. If we use ' OR 'as the delimiter, we can 


V 丁 Wis must be ^ a^ay 

- o*f s*brmjs ■biiat you 

y/ 3 n*t *to jo'm 


construct a WHERE clause that only has OR between each LIKE clause. 


^hdrpen your pencil 


Rewrite the PHP code that generates the Risky Jobs SELECT query so 
that it fixes the dangling OR problem by using the implode function. 
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sharpen your pencil solution 



Rewrite the PHP code that generates the Risky Jobs SELECT 
query so that it fixes the dangling OR problem by using the 
implode function. 

fscav-dh^ucv-y — “SELECT 决 FR0A1 Hskyjob,; 

片 . 二 . av T. a Y(.); i^plodcO adepts ah 

a\r\ray o\ sbr\^s -to be joined 

, u , -togc-thc^ v/c have io build 如 容 

f’scavdh 一 words 二 cqlodc( l ' / av-v-ay o( LI^B clauses. 

-fov-cadh (fscav-d^y/ovds as fy/o\rd) { y ^ 

•y L …… 卜丄门 • = • 厂 . 丄 :…, A vj ； fr …… used like D ^ 

....^ crc . Acstr ^. . Ll ^ .. /ofword/o . / . a cis sar,c as a^ay^us^O 

} -- \i adds a v\t>N element 

/wh^lausc '=，' \^odtC OR V .o 山如一 叫 . o(o 


o|o 


/ 




'usc\r sca\rdh — f 6 \BT C 1 usc\rsca\rdh ， 3 ； 





i-f "erwp*ty(fv/he\re 一 dause)) { 




The ddimitc\r passed -to implodeO is 
W with a spa^c oh eddh side o-P it. 




fscav-^h^ucv-y w IVHERE /where—dausc”; 


o|o 


o|o 


o|o 




JS 


o|o 


o|o 


of 


1^ order -fco use -the 
ir»»p!odcO -Puhdtioh, we 
•Pivst build dh a\rv-ay 
<^P disuses ahd 
s*to\rc therw ih the 
fwhcv-c__lis-t av-v-ay. 




Tiic result of 
§ implosion is several 

■Ij L|^t niduses joined 

*toybV^\r ORs. 





implode() 


$where list 



$where clause 
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Tqst DriVQ 


Take the Risky Jobs search form for a spin. 

Download the Risky Jobs application from the Head First Labs site at www. 
headf irstlabs . com/books/hfphp. The search . php script contains 
the query generation code you just worked through, and is used to process the 
search data entered into the form in the search . html page. 

Upload the script and other Risky Jobs files to your web server, and then 
open the search form (search . html) in a web browser. Try a few different 
searches to see how your query generation code fares. Make sure to try 
Ernesto’s “Bull Fighter Matador” search, which is a good test of the new 
implode () code. 


non- 


Rjsky JgjIk 1 - ^f.irch 


Rlslcf Ju; 

Dth^td Vouif 怕 J*b l» 

vffu have She guts to go find ir? 


Rbiky jubs - Search Kisulb 




JcshTiLlc 
Prize Finhwr 


TficfndflF 


EJctlGtu Uyll 
Ecpninnr 


SlA\ih 


l^csonpliLin 

Up Md gMi wbieJu baser needs an MO 

opponeat lo help bui Id hist winfiing necond _ Slaw 
sloppy hod And ■ j_w arc preKPPHi»No 

EMLIJCEtCDCC CCiyUinHf. lll 3 Si \% RUL 9 FuJ 3 a LlllK^ lilltinfCMS 

pn%iEbnn. ftVT 1 iwn yfiu ift rlif ： nl Ifty issd rh,^ rinl 
Eu yiajib | 1 ig jjyti** L^l Jin'll Kj 115 juy 

chajngiirimhip fijihCfir, nr sit EfJiid h^"ip tn 


UDL 1 ： 



J jwdy lwviP-« wnilinpr frar ynur 玷 ijwrinr nmi - 
li'iul^iLl. c-ipo Moving Mual pas* bawf tiuil 

Aj^hllnp, aptiludr td 

KaniiHkwily Tuii^ aumli an fiSApeiscin-ud gIecIisi: 

hnll rrpjiii 奶 rrreiiiteiOftrryfiii fi sc iN hnlfafl 

huL jju Winn uf lliFbcncfisi. 


n> 


B\rr\esh> does^i immediately see 
his Pcir-fcd-t \fisky job ； but hes 
detihi-tdy makihg p\rogv-css how 
that seauh sdv-ipt looks 
從 h ihdividual scav-dh 七心 . 



I-14 

2] 他 3] 

20UB-L1 1-1- 


'mf { 



« 
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can the search be improved? 




rm a tightrope walker. I visited 
your site and didrVt get back any 
good jobs even though I entered 
exactly the right search terms. 


yffu havfl 8ht gut* to 3 切伽 3 m 


Rbikj Jobs - Stsirdi 

riiwl your ri 5 ^yJob: 

fiiyhLiu^i wj “恕咖 uiLUi 

f Submit } 


Ti^Vofc y/alkcv- SeUa 
isy \’ 七 hav” as mu 乙 h 
lu^k y/rtii 七 he Risky 
Jobs scav-^ii -fo\rrn. 


^ o o 






Hbiky Jvbs - Starcii HusuUn 


Jmh Tttie 
M 咖 rC al J 邱咖 


^'fihtrapc rcn. ej 


*Jc^crip tJnn 

㈣ d fe ， at mt 

: r 

Moaun 4 肩 faculty i D E jfi T 


I 3 afc Pftttctl 
3 ⑽ S “ p 
j ：35 


200 S.IMJ 

21 : 17 : 1 * 


The scav-^h "tcv-rws deavly 
show a sca\r^h -fov- d tighiv-opc 
walkc\r ih the bui the 

^csulis 扣伙'七 e%dJy a 


Are the 
search terms 
to blame or 
are there 
really no jobs 
for tightrope 
walkers? 
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string and custom functions 


厂 




Write down the SQL query generated when Selma enters 
"tightrope, walker, circus" as her search, and then annotate any 
problems you think it might have. 


you are here ► 
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preprocessing the search strings 

- _%3harpen ywr pencil 

SotLn 


Write down the SQL query generated when Selma enters 
"tightrope, walker, circus" as her search, and then annotate any 
problems you think it might have. 


SELECT * ?K0!V\ Hskyjobs 


iVttERE dcsd\rip*tioir\ L|^E OR dcsd\rip*tioir\ Ll^B '%v/alke\r,%’ 伙 

dcsd\rip*tioir\ K %tWt^lo 


T)ic c^plodcO 
uses 

spates as 
dcl'»w'»'tcv-s ku*t 
•rt -to-tally hisses 

dommds. 





(0 



TV^C dommds art donsidcv-cd fart 
Jc -tV^c starcM "berms mstcad <^f 
scpav-a*tov-s bc*b>wccr\ *b^c 七 evms. 


explode() 





丁 he Ohly scairdh 

t 饮你 that is actually 

r^at^liihg jobs is Yivdus" 
because it doesh^t hdve 
a dorv\rv \3 a^didchtally 
studk oh-fco it. 


$search words 


I don't see what the big deal is. Just call 
the explode() function twice - first to get 
rid of spaces and then to get rid of commas. 
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The explode () function lets you explode a single 
string into substrings, but in this case we already 
have substrings. 

The first call to the explode () function leaves us with multiple 
strings stored in an array, so there’s isn’t a single string left to 
explode. And attempting to explode each string in the array would 
likely just create more problems. Instead of trying to solve the 
delimiter problem with multiple calls to explode (), we need to 
preprocess the search string to get it down to a single delimiter 
before we ever even call explode () . Then it can do what it does 
best — break apart the string using one delimiter. 

















string and custom functions 


Preproccss the search string 


We want to hand the explode () function a string that it can break apart 
cleanly in one shot. How do we do that? By making sure that explode () 
only has to worry with a single delimiter, such as a space character. This 
means we need to preprocess the search string so that each search term 
is separated by a space, even if the user entered commas. 



I/Ve Y\ttd to tuv-h this... 


tightrope , walker, circus 



tightrope walker 





circus 


Preprocessing data 


allows us to remove 
unwanted ckaracters 
and make tke ctata 
easier to process. 


… so that cxplodcO 
gives us -this/ 


Wo rwov-c domras/ 



$search words 


tJiereiare no ^ 

Dumb Questi9ns 


Can we use more than one character as the delimiter when 
exploding the search string? 

Yes, you can specify any number of characters to serve as your 
delimiter, but that’s not the same as specifying different delimiters, 
and won’t solve our problem here. 

If we used explode ( ', ', $user_search) to break 

apart our string, it would use a combined comma and space as a 
delimiter, and would work if someone entered “tightrope, walker, 
circus”. But it would fail if someone entered "tightrope walker circus". 
In that case, we’d be left with one long string—not good. 


Can we just delete the commas instead of turning them 
into spaces? 

That will work only if users separate their search terms 
with both a comma and a space, which we can’t count on. If we 
deleted commas, we’d run the risk of turning “tightrope,walker” into 
"tightropewalker", which probably wouldn't match anything in the Risky 
Jobs database. 


you are here ► 
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the php str_replace() function 


Replace unwanted search characters 


If you think about it, preprocessing the Risky Jobs search string is a lot like 
using find-and-replace in a word processor. In our case, we want to find 
commas and replace them with spaces. PHP’s str_replace () lets you 
do just that by supplying it three parameters: the text you want to find, the 
text you want to replace it with, and the string you want to perform the 
find-and-replace on. Here’s an example of str—replace () in action: 


TVis is 七 he subs-bv'm^ 
you y/ar\*t *to vefla 以 … 

$clean search = str replace ( 1 thousands▼, 



r 


… "this is "the s-tv-ih^ that 

gets ihSC\rtcd ih its 


hundreds 1 , 


! 


Make thousands of dollars your very first 



TKc i\\Wd pav-amc*tcv is i\\t 

i\\ai Will be cMa^td- WlcVc addm^ 

a little bo advcrtism^ by ^ 
w *tKousar\ds W w Kur\dv"cds . 


month. 


Apply now! 1 ); 


But what about those commas in the search string? The str_ 
replace () function works just as well at replacing individual characters: 


Rcmcrwbcv-, this is the 
substvmg youVc \rcpl 把 i% … 


$clean search = str replace ( 1 


<r 


! ! 


… and is 

youVc 

1 tightrope r walker r circus 1 ) 


Evcvywlicirc that a domma appears m 七 his _ 
s*brm^ rt y/i" be ircpladcd y/iih a spade- 


After this code runs, the variable $clean_string will contain the string 
u tightrope walker circus”. 





Do you see anything suspicious about the results of 
the str_replace () function? Do you think replacing 
commas with spaces will work like we want? 
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string and custom functions 




Given the PHP code below, show what the output of the $ search—words array will be 
for each of the following search strings. Make sure to write in data for the appropriate array 
elements, and scratch through elements if the $ search words array ends up being shorter. 


$clean_search = str_replace i 1 r 1 r ▼ ', $user_search); 

$search words = explode(' ▼, $clean search); 


bull,matador cape 


inininint 

$search words 


3 > syaccsf 




bull matador 


cape 


igmac 

$search words 


bull , matador cape 



$search words 


1 spates! 




bull,matador, cape 



$search words 


you are here ► 
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exercise solution 


BteRctSe 

SoLytiOH 


Given the PHP code below, show what the output of the $ search—words array will be 
for each of the following search strings. Make sure to write in data for the appropriate array 
elements, and scratch through elements if the $ search words array ends up being shorter. 


$clean search = str replace ( ▼, ', ▼ ', $user search); 


丁 his amray ohly has 
"thlrcc dc^Cirts. 




bull,matador cape 


TKcsc two av'vay $ search words 

actually empty because o\ ti^osc 
七 v/o c%*tva spates brbwe ⑼ maiadov- 
av\d tape m i\\t scav-dK 

Z spates! 

bull matador cape 


$search words = explode(' ▼, $clean search); 


$search words 


bull 


bull 


,matador 


1 spatesf 




,matador, 




cape 


cape 


ngaih, two empty elemehi 
"tKc is 

v-cpladcd with a spa^c 


$search words 
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string and custom functions 



Those single spades will 
cvc\ry single 

,h cadh job dcsd\riptioh. 
"They ^ \rcdl pirobl Crw. 


So we re all set now that 
were preprocessing the 
search string, right? 



Uh, no. Preprocessing gets rid of unwanted characters, 
but unfortunately，it doesn’t result in an array containing 
all good search terms. 

Remember, our goal is to end up with a string where each search term 
is separated by exactly the same delimiter, a space. Take another look at 
what happened in the last three examples on the facing page. Some of 
the elements in the $search_words array are empty. If we try to build 
our WHERE clause with the empty search elements, we might end up with 
something like this: 

SELECT * FROM riskyjobs 

WHERE description LIKE 1 %bull % 1 OR 
description LIKE T %matador % 1 OR 
escription LIKE ! % % ! OR 
escription LIKE T % % T OR 

description LIKE 1 % cape % 



But those spaces 
won’t match 
anything, right? 


Wrong! They will match everything. 

If there’s a space anywhere in a job description (which is 
pretty much a given), this query will match it and return it 
as a result. So every job in the Risky Jobs database will be 
matched by this query. We need to get rid of those empty 
array elements before we construct the SQL query in order 
to make the search script useful again. 
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stripping out empty search terms 


The query needs [ccyt search terms 

The good news it that it’s not too difficult to clean up our search terms 
before using them in a query. We’ll need to create a new array that only 
contains the real search terms. So we’ll copy all the non-empty elements 
from our first array into the second array，and then use that array to 
construct the SELECT query. 

To construct the new array, we can use a f oreach loop to cycle through 
each element in the original array, and then use an if statement to find 
non-empty elements. When we find a non-empty element, we just add it 
to the new array. Here’s what this process looks like: 



$final search words 


s -the oiri^ih^l SY'Y'Sy 
七 hat 匕 oirtdihs scav-dh 

tcirms 3hd empty clcmcivts 
caused by cx-t\ra spades. 
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string and custom functions 


Copy wow - empty elements to a new array 


Now let’s look at the code that will copy the non-empty elements from our 
$ search 一 words array to the new $final—search—words array. 

$search query = "SELECT * FROM riskyj obs"; 


// Extract the 
$clean_search 
$search words 


search keywords into an array 
-- str_replace ( ▼ , ' , ▼ ▼ , $user_search) 

=explode(' ▼, $clean_search); 

$final 一 search 一 words = array(); 
if (count($search 一 words) > 0) { 

foreach ($search—words as $word) 
if (!empty($word)) { 

$final search words[] = $word 




TVi'is is — replace 

Commas v/rth spates 
s*tv 二 ) replateO. 



Looj? through ea 匕 h elemev\i o( 

the fsca\r^h_wo\rd a\rv*ay. |-f the 
element is empty, put *rt \ y \ the 
K>amcd 一 seaah wov-ds. 


After checking to make sure there is at least one search term in the 
$search_words array, the for each loop cycles through the array 
looking for non-empty elements. When it finds a non-empty element, it 
uses the [ ] operator to add the element onto the end of the $f inal_ 
search_words array. This is how the new array is assembled. 

Then what? Well, then we generate the SELECT query just as before, 
except now we use the $f inal_search_words array instead of 
$search words: 


// Generate a WHERE clause using 
$where—list = array(); 
if (count($final—search 一 words) > 
foreach($final—search 一 words as 
$where 一 list[] = "description 
} _ 

} 

$where_clause = implode(▼ OR ' , 


all of the search keywords 


0 ) { 
$word) 
LIKE ▼ 



{ 

%$word% 


$where—list); 


TK»s *»s i\\t sa 啪 c Code Youvc 
seen -tKat builds -tKc _邮 
clause *tV^c scav-c.K 
but W»*tuscs-t^^ 
f-fmal_scav-c.K_v/ov-ds av-vay 七^七 


// Add the keyword WHERE clause to the search query 
if (!empty($where_clause)) { 

$search 一 query .= " WHERE $where_clause"; 


This code gives us a search query that no longer has empty elements. 
Here’s the new query for the search “bull ， matador, cape ”： 

SELECT * FROM riskyjobs 

WHERE description LIKE '%bull%' OR 
description LIKE '%matador%' OR 
description LIKE '%cape%' 



Will this search give our 
users the results they’re 
looking for? 


you are here ► 
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test out search.php 




Tqst DriVQ 


ft o n 


Update the Search script to preprocess the user search string. 

Update the search . php script to use the explode () and implode () functions 
to preprocess the user search string and generate a more robust SELECT query. Then 
upload the script to your web server and try out a few searches. 

Eti%ky J ah "' ' ^ ，jrLh 


i& amt 


Rlskl 

Risky jobs ■ Search Results. 


JobTiilc 

tiflltmCM 'Vnllfr 


\[jiHrr CuL JuggLcr 


AZ 


: U ： 


Tigbtrapc TcslcJ 1 
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FW 刪峋 邮呷 ㈣ 峋 

叩山 1-3 _ 咖 i. ¥ hLm]ic 

= 工卸；一 = ::叫 

c W renK 爪 a big 抑认 EKM*U*ni benafit^ncSudiJi? 

BB d di 邮靡 P»^*« plnB.pnr •记 ripdAffl 

「… rrr.K 咖 I = 

0 肌』咖舰 Hi 训明 aDS i»ui^ J. 训 um 

medical case *nd 6cpin6cnl case KintbuncmcJi?. 
gducaiicr.ciL BMisiDMC.paid vacaisor. uU 

—adapL.un aimlan«.Hex.U]c Uml 叫 
LcfLLce. Th.onlythi^ 伽 ? 

h Owbig _ and^fk 

』 w: and yourlMlince'.Othwdu^^^ mcJudc 
^-i ， in E ^.Kn^llire 

chmrrn.U^m K hy mmpk ㈣ 7. ' hn -f- 

ii 3 LliaJ!i^ uni3 a. wr.w «f 叫 P 叫祕 l»i 叫 wu 
d -^aLp ^ro^Lc — ⑻以 al_ 

]ivm wnr.iiobe diallen ㈣ W yoisrwltm f.o^s 

!LC= W 啊加吨 ■ 过， ] 叫 ㈣㈣ tfln 

offer yM \m^ invitee 州 

Ajc vuu a |jEaj ：， Uiwic* ⑽ 1 祕 11x1 巧 J U BK L,,1 S - 

n”— 一 — 一， a = 二 f 

^w be p « r 加 d Ed 

Master Cm Juh 】《 Pm^ 

]f 加 bought of dinslkr^fbrfcoim cr^ &uni g^t - IT 

fcdghi“s y 狐 ld« of I ■ 邮 * Hmc . 如 15 加 : 1 咖 
r,uiv be im ^u.Eivccy^ ^oui tE IJ ,!lEO P!*j ^ !， s 

ThaLcouldbcycilWcda p ®， ^ 
voulL r.«d mbriag ； ymif 卿 lifllfnc? and 


Dsiic PuniUsl 

MWR-H-U 

2 l ； 36 .l^ 


Sdma ； s u -tigh-t\ropc ； 
v/alkc\r, di\rdus” 
scav-dh how appeav-s 
"to be -Pihdihg 

r»»o\rc 

V"dcvaht jobs. 



J.HilW 



2 WB- 3 S 44 

2 ； t: 173 l 6 







string and custom functions 


I*m getting job listings, but I*m getting 
huge descriptions for each job. I don’t need 
that much information. I may have to try 
hazardpays.com, where they show only part of 
the job, and I can see more listings per page. 


O 



Although Risky Jobs is doing much better at finding 
jobs, the huge job descriptions are a bit much. 

What’s really irking Selma is her inability to see more job listings in her 
browser without doing a bunch of scrolling. It isn’t necessary to show 
the entire description of each job in the search results. Ideally, we really 
need to show part of the description of each job, maybe just the first 
few sentences. 


Write down how you think we could trim the job descriptions 
so that they aren’t quite so huge in the search results: 


you are here ► 
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the php substf) function 


Sometimes you just need part of a string 


Since the lengths of the job descriptions in the Risky Jobs database vary 
quite a bit and some are quite long, we could clean up the search results 


by chopping all the descriptions down to a smaller size. And to keep from 
confusing users, we can just stick an ellipsis (...) on the end of each one to 
make it clear that they’re seeing only part of each description. 


The PHP substr () function is perfect for extracting part of a string. 
You pass the “substring” function the original string and two integers. 
The first integer is the index of where you want the substring to start, 
and the second integer is its length, in characters. Here’s the syntax: 

substr {string r start r length) 


Tke PHP sutstrO 

function allows 
you to extract a 
portion oi a string. 


TW,s 如 O/—al 


This spc^i-fics whcvc io 
the subs-tvihg... 


V 


… 扣 d *tK'»s is Kov/ 

-to 代 * Um. 


When it comes to the substr () function, you can think of a string 
as being like an array where each character is a different element. 
Consider the following string: 


$job—desc = 1 Are you a practioner of the lost art of cat juggling?'; 


Similar to elements in an array, each character in this string has an index, 
starting at 0 and counting up until the end of the string. 


012345678 9. 


ioner of the lost art of 


cat juggling? 

… 50 51 52 


We can use these character indexes with the substr () function to 
grab portions of the string: 


Starb at 5 © -- ^ substr ($job—desc, 4, 3) _ 一 > 11 

(or 


S-tohrt ai ahd sihde 

we Ic-Pt o^f the sedohd 

av-gurwCht, it rwcahS 0o -fco 

the Chd of -the s-t\rihg. 



substr($job_desc. 


substr($job—desc. 


substr($job—desc. 



ing? 


0, 3) ■ > Are 

0, 9) _ 一 M Are you 
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Extract substrings from either end 

The substr () function is not limited to grabbing substrings from the 
start of a string. You can also extract characters starting from the end of a 
string. The extraction still works left to right; you just use a negative index 
to identify the start of the substring. 


Are ^ou^a^practitioner of the lost art of cat juggli 

一 53 - 52 - 51 - 50 ... ... - 3 - 2 - 1 



Here are a couple of examples: 

- 只 ’ 从⑼ ^ ^substr ($ job—desc, -53, 7) _ > " i you 

^v-ab 1 ~ 


SM ai ^ take substr ($job_desc 

the \rcst o-p the sVmg.~^ - 



juggling? 


— your pencil 


Below is PHP code that generates an HTML table for the Risky 
Jobs search results. Finish the missing code, whose task is to limit 
the job description text to 100 characters, and also trim down the 
date posted text to only show the month, day, and year. 


echo * <table border="0" cellpadding="2">'; 

echo ' <td>Job Title</tdxtd>Description</tdxtd>State</tdxtd>Date PostecK/td> * ; 
while ($row = mysqli—fetch—array($result)) { 


echo 

* <tr 

class=’ 

'results M >'; 





echo 

'<td 

valign: 

= n top M 

width= 

n 20% M >' 

.$row['title'] 

• '</td>'; 


echo 

'<td 

valign= 

= "top M 

width= 

n 50% n >' 

• 


• '...</td > ， ； 

echo 

'<td 

valign= 

= "top M 

width= 

n 10% M >' 

.$row['state'] 

• ， </td >，； 


echo 

'<td 

valign= 

= "top M 

width= 

n 20% n >' 

參 


. , </td> , ; 


echo '</tr>'; 


echo '</table>'; 
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sharpen your pencil solution 

-智 yo K? 


Below is PHP code that generates an HTML table for the Risky 
Jobs search results. Finish the missing code, whose task is to limit 
the job description text to 100 characters, and also trim down the 
date posted text to only show the month, day, and year. 


echo '<table border= n 0" cellpadding= M 2"> 1 ; 

echo ' <td>Job Title</tdxtd>Description</tdxtd>State</tdxtd>Date Posted</td> 
while ($row = mysqli fetch array($result) ) { 


echo '<tr class = M results M > 


Stidk ellipsis ov\ -the cir>d *to *mdida*tc 

七 ha 七 -this is o^ly fa\rt -the 


echo '<td valign="top M width= M 20%">' . $row['title *] . '</td>'; 

echo ' <td valign= n top" width= M 50%"> ' • . QiJ.QQ). 


..</ td> 


echo '<td valign= n top M width= M 10%">' . $row[* state *] . '</td> *; 

echo ' <td valign= n top M width= M 20%"> ' . subs-fc\r(frov/Cpos 七 ed’], O, lO) 


▼</td> 


echo '</tr> 


echo '</table> 


AH of ihc daic_postcd data stav-ts 
wilh MM-W-VVyy, whidh takes 
“p c^adily \0 



!\rs. 


il 6ee| B!t5 - 

It’s possible to skip the PHP substr () function and 
limit the job description data in the SQL query itself. You 
use a very similar MySQL function called SUBSTRING () 
that accepts the same arguments as substr (). The 
only difference is that the starting index starts at 1 
instead of 0. So grabbing the first 100 characters of the 
job description looks like this: 



Dumb Questi9ns 

Does substr () work on numeric values? 

No, it operates strictly on strings. However, If 
you have a number stored as a CHAR, VARCHAR, 
or TEXT, when you retrieve it via SQL, it's treated 
by PHP as a string, not a number, so you can use a 
substr () function on it. 


SELECT SUBSTRING(job_description, 1, 100) 
FROM riskyjobs; 

The advantage of sticking with the PHP function is that 
we have both the partial job description and the full job 
description available to us. If we use MySQL, we only 
get the partial job description, and would have to make 
another query to get the full description. 


What if your length value is longer than the 
string? Will it return a string with spaces at the end 
to make it match the length value? 

It will return the entire string. But it won’t pad the 
end of the string with spaces to change the length. For 
example, the following code will return the string “dog”: 

substr(’dog', 0, 10) 


530 Chapter 9 













string and custom functions 



Tesr DriVq 


Tweak the Search script to limit the text displayed for job 
descriptions and dates posted. 

Modify the search . php script so that it uses the PHP substr () function 
to trim down the job description and date posted text for the search results. 
Then upload the script to your web server and test it out with a few searches. 



ri o n 


Riskv JuS]s. 


Risky 

Dfl you hiv* thfl gUti to And ㈣ 

Riiiky lubii - Stsirth R&ulfe 


Job Title 

•I’lglaUui^ WaLkrr 

MaUrrCaLJugglcr 


Slate 

Dcstnp*on 

叫 b 叫卿 Iwknig 如 u 紙阳叫 J K 

with IJ y««P5 nf-r?sp^rirn «： to jhfrfhmi I iuhtr 

j\ie y mi a |ii j.lULiu*ici ut Uh? Uni sttlul caL j«ggLmS - ? 
friny «vunrpift«.,flRty lhf- hn\ Rm’ 

|jji®lLriB>3r bDuraonciMl tram great Ml 
' ■ cl^ni-i r HI ■ ■ 


l^ghtropc Lcylcx Uie 




Date Fostfid 

2WH 10 L J 1 


The pos-tmj date is also a bii 
casiev- -fco \rcad now that it ohly 
shows the dol-tc av\d v\oi the 
ddiht dKtd -time ， 




How can we change the page layout and query to 
allow us to sort by date posted, state, or job title? 
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Sclrw^ is pleased how "that 
she tav\ see job sca\r^h v-csults 
without having -fco scroll thv-ough 
humohgous job dcs^v-ip-tiohs. 











adding sort functionality to search results 


Multiple queries caw sort our results 

In order to allow visitors to sort their search results, we need a way for 
them to identify how they want their results ordered. Maybe a form... or 
a button? It’s actually way simpler than that. We can use HTML to turn 
each of the column headings in the search result table into links. Users 
can click a link to indicate which column they want to sort the results by. 






謹 丨 j Ws^rs hohC ih Oh jobs by 

soirtihj -the \rcsults based oh these 

層 headings. Wt cav\ tu\rh the headi^as 

nr 二 : ••山 — 悩七。价嫩 s 匕似 

Oh them -to so\rt the job listmjs. 


Jolts ■ Scsircti Results 


Job Title 

E'jghter 

Toreador 

FJ^cJem; null 
Repairer 





Scaur 

bk mu 


Description 

Up*nd COJTUD6 %-u^^Y ELrval 

oppr,n ft m «« hrlp haild hi: wi 刪邛 _rd Slc^ 

L^ly bovine W^Dfffoxyaar …沿 

CAJK “v 岣 skills.Musip«sb*sK butlfSeW' 

]bnVilk>nky Tonic r^^nn ^eclric 

bull K^\m.Tm rid«i(aftcr^ tis n\ ar.d tuL 


NJ 


Dace Fosscd 
2rxusai-u 

2006*11-^ 

■2CiClfi-l i-u 


轟 


We can use these links to reload the same Search script but with a query that sorts 
the results according to the link clicked. We already know how to use ORDER BY 
to structure a query with sorted results. If we create different SQL queries to 
ORDER BY each individual column, we can allow the user to sort the search results 
alphabetically by job title, description, or state, or chronologically by date posted. 

Here is the SQL query to sort results alphabetically by job description: 


SELECT * FROM riskyjobs 

WHERE description LIKE '%Bull%' OR description LIKE 
description LIKE '%Matador%' 

ORDER BY description 


TKis sorb i\\t v-csults Jc *tiic 
c^uevy oy\ job 七 uws m 

asde^dm^ alphabetical order. 


'%Fighter%' OR 
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pencil 


Write three different queries that sort the Risky Jobs results 
according to job title, state, and date posted. Assume the user 
has typed in the search string "window, washer, skyscraper”. 


How could we rewrite these queries if you wanted to see the job titles and states in 
reverse order? What about the newest jobs first? 
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ORDER BY sorts the SGSirch query results 



Write three different queries that sort the Risky Jobs results 
according to job title, state, and date posted. Assume the user 
has typed in the search string "window, washer, skyscraper”. 



T\\t dc-fault -fov- 
ORDER BV is 

ov-dcv-, >n\\\cM 
is i\\t same as say'm^ 

ORPER ASC- 


SELECT ^ P 娜 Hskyjobs 

iVHtRE dcs^\rip*tio^ 'Vov/mdow%, f)R dcs^\rip*tioi^ 1 %y/ashc\r% > OR 

description Ll^B { %skys6\r3^CY'% > 

ORDER By^ job — 

SELECT.^. FROM • 曲 j 如 . 

iVttERE ； dcs^y-iftiojr) L| 如 '?。. . jP 尺 . dcs^rip-tio^ .OK 

dcsdv-ip-tjo^ L(|sE 

ORDER sta-jtc 


SELECT ^ FRO/H H^yjobs. 

iVttERE description L|KE l %v/mdov/51/ dcsd\rip-tioir\ LlJ^B '7oy/ashc\r7o ； OK 

description LIKE '%skys^rape\r%’ 

ORDER BY date—posted 


How could we rewrite these queries if you wanted to see the job titles and states in 
reverse order? What about the newest jobs first? 


r 


^ might wa^-t 
these i-f wc ； vc 
^Ivcady ovdcv-cd 
OhC o-f the 

匕 olumhS e)hd "tKc 
USCV* clicks Oh it 

agaih {o vcvcvsc 
"the ovdev*. 



SELECT ^ IF 物 Hskyjobs 

iVttERE dcsdv-iptio^ LIKE l %v/mdov/% ， dcsd\rip-tioir\ Lj^E l %v/ashe\r%, 
dcs^\rip*tioir\ LIKE l %skys^rapc\r%’ 

ORDER DKC 

SELECT 糖 . Hskyjobs. 

iVttERE ； dcsd\rjp-tioir) L|jsE . P.8. .4?. s ^fiP."V!?!^ .!rr!K 兵 PR 

dcs4\rip*tioir\ 

ORDER By" stale DESC 


SELECT ^ P 麵 viskyjobs 

iVttERE dcs^\rij>*tio)r\ Lft^B { %v/\Y\dov/°/o , OR dcs^\rip*tioir\ Llt^B 1 7owashc\r% > OR 

description LIKE 1 %skysd\rapc\r% > 

^^ ORDER daic___postcdl DESC 
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It seems like a lot of redundant code 
will be needed to generate all those 
queries. Can't we avoid having the same 
query generation code repeated three, 
or even six times? 


Yes. While it’s true that we’H need to run a different 
query when a user clicks a different link, it’s possible 
construct a single query based on the link clicked. 

The first time the results are displayed, no links have been clicked so 
we don’t have to worry about sorting. We can just take the keywords 
submitted into our form and build a query without an ORDER BY. The 
results are displayed with clickable headings, each of which links back to 
the script, but with a different sort order. So each link consists of a URL 
with the original keywords and a parameter named sort that indicates 
which order the results should be in. 

What would really help in pulling this off is if we create our very own 
custom function that takes information about how to sort the job data, 
and returns a string with the WHERE clause and ORDER BY in place. Our 
new custom function takes a look at the sort parameter to figure out 
how to sort the search results. Here are the steps the function has to follow 



O 

❺ 

o 

o 

❺ 

o 


Preprocess the search keywords, and store them in an array. 

Optionally take a sort parameter that tells the function 
what column to sort by. 

Get rid of any empty search keywords. 

Create a WHERE clause containing all of the search 
keywords. 

Check to see if the sort parameter has a value. If it does, 
tack on an ORDER BY clause. 

Return the newly formed query. 


This might look like a lot of work, but we already have most of the code 
written. We just need to turn it into a function. But before we do that, let’s 
take a look at how to put together custom functions... 
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Fuwctiows let you reuse code 


A function is a block of code separate from the rest of your code that 
you can execute wherever you want in your script. Until now, you’ve 
used built-in functions that PHP has already created, explode (), 
substr (), and mysqli—query () are all functions that are predefined 
by PHP and can be used in any script. 


But you can also write your own custom functions to provide features 
not supplied by the language. By creating a custom function, you can use 
your own code again and again without repeating it in your script. Instead, 
you just call the function by name when you want to run its code. 


Custom functions 
allow you to 
organize a ckunk 

oi PHP code ty 


name so 


tkat it 


can 


Following is an example of a custom function called replace 
commas () that replaces commas with spaces in a string: 


te easily reused. 


To Cxtdkjt 3 tus*tow» 

Y ou ^ …狀 

七 he v/ov-d 灼乙七 ’oh. 




This is y/ha-tcvcv- you 
decide you *fco hdme 
you\r - make it 

as descriptive as possible. 



function replace commas($str) { 



$new_str = str_replace (’，’， ' ’， $str); 

return $new str; 


A se 七 o*f p3V"Cr\*tV^cscs -folloy/ 

Y\a^c You cav\ stY\d 0Y\t o\r move values m*to youv- 

as scpav-a*tcd by 3 

Co^a - rn i\\\s cast, just ortc value- 

Cumly blra^cs ihdi 地 
-the -fuhdioh todt 
should go, just like ih a 

loop oir i<f s-tatcmchi 


} Cav\ vc*tu\rr> d value *to 

Code i\^ai tailed rt - m 七 Ms 
cast y/c vc-tuvr^ i\\t altcvcd stvm} 


When you’re ready to use a custom function, just call it by name and enter 
any values that it expects in parentheses. If the function is designed to 
return a value, you can assign it to a new variable, like this: 


Wc f>dss m d sVm% 

v/alkcr, 匕 iMus 


$ clean 一 search = replace—commas ('tightrope, walker , circus ’）； 

€ 一 
-Pu^dtio^ vetuyhs 

d v\t^i s-tvmg y/i-th -the 

domras \rcpladcd by spates. 
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Puild a query with a custom function 


We’ve already written much of the code we need to create the custom 
function that generates a Risky Jobs search query. All that’s left is dropping 
the code into a PHP function skeleton. Here’s the custom build 
query () function: 


function build_query($user_search) { 

$search query = "SELECT * FROM riskyjobs 


1 /VcVc f>ass'm^ *m*fco -fuir>dtioy> 
七 he fuscv_scav-tV> av-vay 
dv-c3*tcd -fv-om 七 he dd'td 
entered m*to *tV>c scavtK -fovm. 


// Extract the search keywords into an array 
$clean 一 search = str_replace , ' ', $user_search); 

$search—words = explode(' ', $clean_search); 

$final 一 search—words = array(); 
if (count($search_words) > 0) { 

foreach ($search—words as $word) { 
if (!empty($word)) { 

$final search words[] = $word; 


// Generate a WHERE clause using all of the search keywords 
$where—list = array(); 
if (count($final—search—words) > 0) { 

foreach($final—search—words as $word) { 

$where list [ ] = "description LIKE '%$word%'"; 


$where clause = implode(' OR ’， $where list); 



new 

inside "the 
([AY\ChoJ 


// Add the keyword WHERE clause to the search 
if (!empty($where_clause)) { 

$search query .= " WHERE $where clause"; 


query 


return $search query; 


Actually, 七 Wis is Wtrts y/iic\rc 
v-ctuv-y> i\\t r\t^/ <\ucv-y so *tiic Code. 七 ha 七 
dalled -fuy>d*t*io^ dav> use *i*t- 


The build— query () function returns a complete SQL query based on 
the search string passed into it via the $user—search argument. To use 
the function, we just pass along the search data entered by the user, and 
then store the result in a new string that we’ll call $ search—query: 


$search 一 query = build—query($user_search); 

I This lc*ts us daftuve *tV>c value 
v.. ouv -Puy>d*tior> 

case ouv r\cvj scav-th <\ucvy. 


"This is "the value -fv-orw -the 
seaah -Po\rm -the usc\r submitted. 
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Custom Functions Exposci 

This week’s interview: 

Custom functions: how custom are 
they really? 


Head First ： Look, we’re all wondering one thing: 
what’s so wrong with redundant code? I mean 
really, it’s easy to create, you just copy and paste 
and boom. You’re done. 

Custom Function ： Oh, don’t get me started 
about redundant code. It’s just plain ugly and 
makes your code more difficult to read. That’s 
bad enough. But there is a much much more 
important reason to avoid redundant code. 

Head Rrst: Yes? 

Custom Function ： Well, what if something 
changes in your code? That happens pretty often. 

Head First ： So what? Things change all the time. 
You just go in and you fix it. 

Custom Function ： But what if the thing that 
changed was in your redundant code? And was 
in five, or maybe ten places throughout your 
application? 

Head First ： I don’t see a problem. You’d just find 
them and change them all. Done. 

Custom Function ： Fine, okay. But what if 
you missed changing it in one place? You’re only 
human, you programmers. If you missed it, you 
might have a very tough time tracking it down. 

Head First ： Sure, I guess that could happen. But 
how do you help? 

Custom Function ： Ah, but that’s the beauty 
that is me. If that code had been in a function, you 
could have changed it once. Just once. Bim bam 
boom and done. 


Head First ： I have to admit, that’s pretty 
compelling. But I still don’t see why I should go 
out of my way to use you. I mean, you’re pretty 
limited, right? You can only use strings. 

Custom Function ： Whoa! Wait a sec there, 
buckaroo! I can take any data type you care to 
send me. As long as the code inside me handles 
that data the way it should, I can use any data 
you want me to. Heck, I used an array in that last 
example. That’s pretty darn sophisticated, I’d say. 

Head First ： But you returned a string. 

Custom Function ： I can return whatever you 
want. It’s all about making the most of what I 
offer and using me correctly. 

Head First ： That’s another thing. You’re so 
demanding. You have to have data passed in. 

Custom Function ： Where are you getting these 
crazy ideas? You can call me with no variables if 
you want, and if I’m set up that way. If you don’t 
want to send me data, don’t write any variables in 
the parentheses next to my name when you create 
me. Although I can’t think of many reasons why 
you wouldn’t want to pass data to me. And get 
data back out again with a return statement. 

Head First ： We’re all out of time. Thanks for the 
time. 

Custom Function ： Don’t mention it. I live 
to serve. Or is that serve to live? Or serve liver? 
Something like that. 
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Tesr DriVq 


Modify the Search script to use the build 一 query () function. 

Create the new build query () function in the search . php script, making 
sure to replace the original code with a call to the new function. Upload the script 
to your web server and try out a search in a web browser to make sure it works OK. 


That new custom build—query() function is cool, 
but it doesn’t yet sort the search results. Could 
we add in another parameter that does that? 



Absolutely. We can pass the build 一 query () function two 
parameters instead of just one. 

We’re already passing the function the $user_search argument, which 
contains the user’s search terms. Now we need another argument, $sort, that 
indicates how to sort the data. The new $sort argument needs to control the 
order of data returned by the query in the six ways we came up with back on 
page 535: sorting by the j ob—title ， state, and date—posted columns of 
the riskyj obs table in both ascending and descending order. 

We could store the actual ORDER BY strings in $ sort to indicate the sort order. 
Or we could use the numbers 1 through 6 to represent each of the sorts, like this: 


VVc jus-t av-k'i-tv-anly 
tKosc -tKcsc numbers 


$sort 

$sort 

$sort 

$sort 

$sort 

$sort 


1 _ ORDER BY job—title 

2 _ ORDER BY job title DESC 


3 ORDER BY state 


4 ORDER BY state DESC 


5 ORDER BY date—posted 

6 ORDER BY date posted DESC 



s ho*t mudh poih*t ih 


soirtihg by job dcsdv-iptioh, 
3s dlphdbe'kiddl o\rdc\r 
doesh t rnedh "thcvc- 


*tKc 七^七 

are v\o special v-ulcs 
abou*t *»*t o*tKcv "to 
use 


But aren’t integers more cryptic when reading through your code? Without 
helpful comments, yes, but there’s a more important reason to go with integers 
here. If we used ORDER BY strings, our data would show up in the URL of the 
script as part of each heading link. This would inadvertently reveal our table’s 
column names, which you’d rather not make public for security reasons. 
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letting users specify the type of sort 


<a 



OK, I get how the new $sort argument 
works, but how do we know which value 
for $sort to pass into our function? 
Doesn't the user have to tell us that? 


Yes, users must specify how to sort the search results, just as 
they specify the search terms themselves. 

The good news is we already know how we want to implement this functionality: we’re 
going to turn the column headings on our results page into hyperlinks. When a user 
clicks on a given heading, like “State,” we’ll pass the number for sorting by state into 
our build—query () function. 

But we still have to get the sort order from the link to the script. We can do this when 
generating custom links for the headings by tacking on a sort parameter to the URL: 


The scavdh v-csults a\rc as 

pa\rt o( ah WT/V\L table, v/hidh is 
why "tide’s a <id> -tag hcvc. 

\ 

$sort links . = '<tdXa href 



?usersearch= 


$user search 


0 u\r build_«\uc\ryO -Puhdioh heeds 
the usev-^s keywords -to display 

^rcsul-b, so wc pass tha-t ih -the URL 


l/\fe *to vcload pay 4 ⑼ users 
c\\ci^ 3 sovt vcsul*ts) so 

make this a scl-f-\rc-fcvc^6^ ^o\rm. 


$_SERVER['PHP 一 SELF I]. 

'&sort=3">State</aX/td> , ; 

c 

1/Ve pass alor >5 sov-t data {p mdi^aie 七 he 
desived so\rt'mj of ihc seavdlv S'mdc -this 
is the state I'mk, w so\rt W is c<\ual *to 3. 


When the results page is generated, each heading link (except “Job Description”）has its 
own customized URL, including a sort value for how the results should be sorted. 

hvc-P- u scairdh.php?uscvscavdh-bul I 仑#七伙 matadov&sovt-l w > 



Risk 1 ! 、 

Your UfMm ant thflr#, 

Do You hava Ehc guta t 口 go find 


Risky Jobs - Search Results 

jub Titk- iX^-nplion 


Ov-dcv-'mj by dcsdv-ipiioh 
wouldn't tdl us so 

s jr>o \rColso^ "to "tu\rh i"t 
i^-to a so\rt I’mk. 




<a hv-c-P=- w scavdh fhf?uscv-scavdh—bulI -Pijh-tcv w>a*tadov"&so\rt=^: 

<a 二、 caalvphp?uscv"scav^h 二 bull -fijh-tev ma*tadov-&so\rb=*^ w 
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Hmm. I see how those links work for 
the first three queries, but what about 
the other three ORDER BYs that sort in 
descending order? Where do they go? 


O 



Joe ： Normally, the same heading would allow the user to sort in either ascending or 
descending order. 

Jill: That’s right. Each time they click a heading it just reverses the order. 

Frank: Doesn’t that mean we now have to somehow keep up with the state of the 
headings each time the user clicks them because they now have to link differently 
depending on what link they currently hold. 

Joe ： I don’t see what you mean. 

Frank: Well, the headings don’t always do the same sort. For example, if you click the 
“Job Title” heading and it sorts the results by ascending job titles, then the link must 
change to now sort on descending job titles the next time it is clicked. 

Jill: That’s right. But keep in mind that each type of sort has a number in the link 
URL to let the script know what kind of sort to carry out. And since we’re generating 
those links, we can control exactly what sort numbers get put in them. 

Joe ： I see. So the challenge for us is to somehow structure our code to be able to 
generate the correct link based on the current state of the sort, right? 

Frank: Ah, I’ve got it! Isn’t that something we can solve with a few if statements? I 
mean, that’s the kind of decision making they’re good for, right? 

Joe ： Yes, that would work but we’re talking about several decisions involving the exact 
same piece of data, the sort type. It would really be nice if we could come up with a 
better way to make those decisions other than a bunch of nested if-else statements. 

Jill: That’s a great point, and it’s a perfect opportunity to try out a new statement I 
heard about. The switch statement lets you make multiple decisions, way more than 
two, based solely on a single value. 

Frank: That sounds great. Let’s give it a try. 

Joe ： I agree. Anything to avoid complicated if-else statements. Those things give 
me a headache! 


Jill: Yeah, me too. I think the switch statement might just be the ticket... 
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the php switch statement 


SWITCH makes far more decisions thaw IF 


The switch statement offers an efficient way to check a value and execute 
one of several different blocks of code depending on that value. This 
is something that would require a small army of if-else statements, 
especially in situations involving quite a few options. 

Instead of writing nested if-else statements to check for each possible 
value, you instead write a switch statement that has a case label 
corresponding to each possible value. At the end of each case label, you 
put the statement break;, which instructs PHP to drop out of the entire 
switch statement and not consider any other cases. This ensures that 
PHP will execute the code in no more than one case. 


Let’s take a look at an example that uses switch: 


A SWITCH statement 

contains a series ol 

CASE labels tkat 

execute ctiilerent code 
blocks ctepenctingf on 
tke value of a variatle* 


switch ($benefit code) { 


■— 


case 1 : 


This is the value the swi-tdh 
s-tatcrwCh-t is - ii 

toy\bro\s the Chtiv-c swiH 



case 2: 

$benefits 
break; 
case 3: 
case 4: 

$benefits 
break; 
default : 


’Major medical, 10 sick days 1 ; TKlS Co At is 

The bv-cak ^^ 一 诎⑼ 

tells PliP -to dv*op out o-p 
the switch s-tatcrwcht. 


'bcr\C-f»*b to&t is 


'Death and dismemberment only, one month paid leave 


you bo do i\\t saw -fov- tv/o 

ov move values, jus*t leave bveak 

urrbl you \rcadii i\\t last value. 


Good luck! 


$benefits = 'None. 


values s-tov-cd \ y \ fbchC-Pit_dodc 
othcir I, Z ， o\r 午 will dduse 
de*Caul*t Code h> cxcdu-tc- 


echo 'We offer(four^comprehensive benefits packages 
echo 'The plan you ^have selected: ' . $benefits; 

(s/o*t vcally- Ti^cvc av-c or\ly 
^adka^cs s*mdc ^ a^d \ av-c bo*t^ 
same 七 iiaAs *to 灼。七 a bv-cak. 
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E%eftci$e 


Risky Jobs has a new function called generate—sort—links () that allows users to sort 
search results by clicking on the result headings. Unfortunately, it’s missing some important 
code. Finish the code for the function. And don’t forget the numbers for each search type: 

1 = ascending job title，2 = descending job title, 3 = ascending state, 4 = descending state, 

5 = ascending date posted, and 6 = descending date posted. 


generate 一 sort—links($user search, $sort) { 

$sort links =''; 


($sort) { 


case 丄 r 

$sort links .= 

'<td><a href = M ' . $ 

SERVER['PHP 

_SELF']. 

'?usersearch 

'&sort= 

$sort links .= 

M >Job Title</a></td><td>Description</td>'; 

'<td><a href = n, . $ SERVER['PHP SELF']. 

'?usersearch 

'&sort= 

$sort links .= 

M >State</a></td>'; 

'<td><a href = n, . $ 

SERVER['PHP 

一 SELF']. 

'?usersearch 

'&sort= 

M >Date Posted</a></td> 

!. 




$user 一 search . 
$user 一 search . 
$user search . 


case 3 : 

$sort links .= 

'<td><a href = M ' . $ 

SERVER['PHP 

一 SELF']. 

'?usersearch 

'&sort= 

$sort links .= 

M >Job Title</a></td><td>Description</td>'; 

'<td><a href = M ' . $ SERVER['PHP SELF']. 

'?usersearch 

'&sort= 

$sort links .= 

M >State</a></td>'; 

'<td><a href = M ' . $ 

SERVER['PHP 

_SELF']. 

'?usersearch 

'&sort= 

M >Date Posted</a></td> 

I . 




$user—search . 
$user—search . 
$user search . 


case 5 : 

$sort links .= 

'<td><a href = M ' . $ 

SERVER['PHP 

_SELF']. 

'?usersearch 

'&sort= 

$sort links .= 

M >Job Title</a></td><td>Description</td>'; 

'<td><a href = M ' . $ SERVER['PHP SELF']. 

'?usersearch 

'&sort= 

$sort links .= 

M >State</a></td>'; 

'<td><a href = n, . $ 

SERVER['PHP 

_SELF']. 

'?usersearch 

'&sort= 

M >Date Posted</a></td> 

1 . 




$user—search . 
$user—search . 
$user search . 


$sort links .= 

'<td><a href = n, . $ 

SERVER['PHP 

_SELF']. 

'?usersearch 

'&sort= 

M >Job Title</a></td><td>Description</td>'; 


$sort links .= 

'<td><a href = M ' . $ 

SERVER['PHP 

—SELF']. 

'?usersearch 

'&sort= 

M >State</a></td>'; 




$sort links .= 

'<td><a href = M ' . $ 

SERVER['PHP 

一 SELF']. 

'?usersearch 

'&sort= 

M >Date Posted</a></td> 

!. 




$user 一 search . 
$user—search . 
$user search . 


__ This is *thc dc-Paul*t sc*t o( 七 ha 七 should 

return affcav ^i\\tY\ *thc USCV hash *t a so\rt method. 
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the completed generate_sort_links() function 



Risky Jobs has a new function called generate—sort—links () that allows users to sort 
search results by clicking on the result headings. Unfortunately, it’s missing some important 
code. Finish the code for the function. And don’t forget the numbers for each search type: 

1 = ascending job title，2 = descending job title, 3 = ascending state, 4 = descending state, 

5 = ascending date posted, and 6 = descending date posted. 




generate 一 sort_links($user search, $sort) { 


$sort links = 


switch ($sort) 
case 1 : 


l-p fsovb >s I, i*t y/e’ve already 

sorted by job title ； so wc 灼 wd 
VC—so\rt ovdev*. 


$sort—links 
'&sort= Z 
$sort—links 
'&sort= 3 
$sort—links 
'&sort = 弓 


bv-cak; 


'<td><a href = n, . $_SERVER['PHP—SELF']. 
M >Job Title</a></td><td>Description</td>'; 
'<td><a href = n, . $_SERVER['PHP—SELF']. 
M >State</a></td>'; 

'<td><a href = M ' . $_SERVER['PHP—SELF']. 
M >Date Posted</a></td>'; 


?usersearch= 

?usersearch= 

?usersearch= 


case 3 : 


$sort_links 
'&sort= I 
$sort—links 
'&sort = 午 
$sort—links 
'&sort= 3 


bv-cak; 


'<td><a href = n, . $_SERVER['PHP—SELF']. 
M >Job Title</a></td><td>Description</td>'; 
'<td><a href = M ' . $_SERVER['PHP—SELF']. 
M >State</a></td>'; 

'<td><a href = M ' . $_SERVER['PHP_SELF']. 
M >Date Posted</a></td>'; 


case 5 : 


?usersearch= 


?usersearch= 


?usersearch= 


$user 一 search . 
$user 一 search . 
$user search . 


$user—search . 
$user—search . 
$user search . 


$sort_links 
'&sort= I 
$sort_links 
'&sort= 3 
$sort—links 
'&sort = 厶 


dc-fault ： 


'<td><a href = M ' . $_SERVER['PHP_SELF']. 
M >Job Title</a></td><td>Description</td>'; 
'<td><a href = M ' . $_SERVER['PHP_SELF']. 
M >State</a></td>'; 

'<td><a href = M ' . $_SERVER['PHP_SELF']. 
M >Date Posted</a></td>'; 


$sort—links 
'&sort= I 
$sort_links 
'&sort= 3 
$sort 一 links 
'&sort = 弓 


'<td><a href = n, . $_SERVER['PHP_SELF']. 
M >Job Title</a></td><td>Description</td>'; 
'<td><a href = M ' . $_SERVER['PHP—SELF']. 
M >State</a></td>'; 

'<td><a href = n, . $_SERVER['PHP—SELF']. 
M >Date Posted</a></td>'; 


?usersearch= 

?usersearch= 

?usersearch= 


?usersearch= 

?usersearch= 

?usersearch= 


$user—search . 
$user—search . 
$user search . 


$user 一 search . 
$user—search . 
$user search . 


return 


fso\rt Imks 

>*•••••• »_ _ • • • • • 


V 


l-p fsov-t V>as^*t bccr> sc*t yc*t or i-f •• 七 ’s 2*, 
or V/C should display ov-'i^mal Imks 
七 ha 七 sov-*t data asUY\d\^ ov-dev-. 
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frive build.queryO the ability to sort 

We now have two functions to handle Risky Jobs searches, build— 
query () constructs an SQL query based on search terms entered by the 
user, and generate—sort_links () generates hyperlinks for the search 
result headings that allow the user to sort the results. But build—query () 
isn’t quite finished since the query it generates doesn’t yet sort. The function 
needs to append an ORDER BY clause to the query. But it has to be the 
correct ORDER BY clause, as determined by a new $sort argument: 

^ WlcVc r>ov/ fsovt 

function build_query ($user search, $sort) { "to^OUV \Y\ 

$search_query = "SELECT * FROM riskyj obs M ; "bo fuSCV__SCdV 匕 iv 


// Add the keyword WHERE clause to the search query 
if (!empty($where_clause)) { 

$search 一 query .= M WHERE $where_clause M ; 


// Sort the search query using the sort setting 
switch ($sort) { 

// Ascending by job title 
case 1 : 

$search 一 query .= " ORDER BY title"; 
break; 

// Descending by job title 
case 2 : 

$search 一 query .= " ORDER BY title DESC"; 
break; 

// Ascending by state 
case 3 : 

$search 一 query .= " ORDER BY state"; 
break; 

// Descending by state 
case 4 : 

$search 一 query .= " ORDER BY state DESC"; 
break; 

// Ascending by date posted (oldest first) 
case 5 : 

$search 一 query .= " ORDER BY date posted"; 
break; 

// Descending by date posted (newest first) 
case 6 : 

$search 一 query .= " ORDER BY date posted DESC"; 
break; 
default : 

// No sort setting provided, so don't sort the query 


a\rc -the todt addiiiohs 
*to build 一， ue\ryO. This 

ik value o-f fso\rt av\d adds 
the do\r\rcspohdihg ORVBR 
by s-tatcmcht -to the Chd 
"the <^ucv-y. 


usevs load *tKc \rcsulis 
pay y/rtiiou 七 3 

CoW^Y\ fsov-t Will be 

eso as a dc-faul-t 
’七 sov*t *bV>c vcsul*U all- 


return $search 一 query; ; 

_ ^ M fseaah 一 as bcW, ohly -this 

With ah ORDER By clause ai -the e^d. 
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test out the revised search.php scirpt 




Tesr DriVq 


Revamp the Search script to use the two new custom functions. 

Create the new generate_sort_links () function in the search . php script, 
and then add the new code to the build—query () function so that it generates a 
query with sorted results. Don’t forget to actually call the generate_sort_links () 
function in the script in place of the code that echoes the result headings. 

Upload the script to your web server, open the search . html page in a browser, and 
try doing a search. Now click the headings above the search results to sort the jobs based 
on the different data. Make sure to click the same heading more than once to swap 
between ascending and descending order. 
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But sometimes I try a 
broader search and the 
results are overwhelming. 
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use pagination to display a subset of results 


Wc ca" paginate our results 

We’re displaying all of our results on a single page right now, which is a 
problem when a search matches lots of jobs. Instead of forcing users to 
scroll up and down a huge page to see all the job matches, we can use 
a technique called pagination to display the search results. When you 
paginate results, you break the collection of job matches into groups, and 
then display each group on a separate web page, like this: 
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That*s great, but how do we break up 
our results into groups like that? Our 
SQL query returns all the results that 
match the search string. 
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Pagination 
breaks cjuery 
results into sets ， 
and displays 
eacli set on its 
own wet page. 
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We need a query that will return just a 
subset of the results, not all of them. 

Luckily, SQL already gives us a way to do that: the 
LIMIT clause. Let’s revisit LIMIT and see how we 
can use it to split our results up into groups of five... 
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fret only the rows you need with LIMIT 


The key to controlling which rows we display on any given page is to add 
another clause to our search query, a LIMIT clause. To get a maximum of 
five rows, we add LIMIT 5 to the end of our query, like this: 


SELECT * FROM riskyjobs 
ORDER BY job title 


c^cv-y vc*buv^s dll 七 jobs m 七 he 
database, is c<\uivalent *to 

sc3v*£.iii^ Vrtii 於 o sc3v~C.ii "tcV"w\S. 


LIMIT 5 

〜|y \rctu\rh the -Pi\rst -five 

y\o how w\3iY\y 

ma-Uhcs avc actually *fouhd. 


If you recall, we use the custom build—query () function to create our 
Risky Jobs query. To force it to only display the first five matches, we just 
concatenate LIMIT 5 to the end of the query string after it’s built: 

$query = build—query($user_search, $sort); 

$query = $query . " LIMIT 5"; - 


LIMIT controls 

wkat and kow many 
rows are returned 

hy an SQL cjuery. 


/ 


Add'm^ a LIMIT dlausc b> *tiic tv\A o( a 

c^uCV-y limrts *tiic r^ur^bcv o( vov/s vc*tuvv>cd 
by 七 he m 七 iVis dasc *to -f IVC v-oy/s. 

This works well for getting the first five rows of results, but what about the 
next five rows, and the five rows after that? To pull out rows deeper in the 
result set, we have to change our LIMIT up a bit. But how? LIMIT 10 
would get the first 10 rows, so that wouldn’t work. We need to get rows 
6 through 10, and to do that we use LIMIT with different syntax. When 
you add two arguments to LIMIT, the first arguments controls how many 
rows you skip, and the second argument controls how many rows you get 
back. For example, here’s how you get rows 11 through 25, which would 
be the third page of results: 


$query 
$query 


build—query($user_search, $sort); 
$query . 

J 


LIMIT 10 


The -Pi\rst a\rgu^ch-t tells 
L|A1|T how \rows 
"to skip - -the -fiv-st tch. 






/ Custard Walker 


1 Shark Trainer 

- 、 

1 Voltage Checker 

... 

\. Antenna Installer 

... 

Elephant Proctologist 

y 

Airplane Engine Cleaner 


Matador 


Paparazzo 


Tightrope Walker 


Crocodile Dentist 


Mime 


Pet Food Tester 

… 、 

Toreador 

... 

Electric Bull Repairer 

•• / 

Firefighter 

~~y 



TKc second av-^umcir\*t 

to^*tvols iioy/ v-oy/s 

avc vc*tuv^cd — -fwc ； 
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use LIMIT to help paginate results 


Control page links with LIMIT 

An important part of pagination is providing links that allow the user to 
move back and forth among the different pages of results. We can use the 
LIMIT clause to set up the naviagation links for the bottom of each page 
of results. For example, the “next” and “previous” links each have their 
own LIMIT. The same thing applies to the numeric links that allow the 
user to jump straight to a specific page of results. 

Here are the LIMIT clauses for the first three pages of search results, 
along with LIMITS for some of the page links: 






Risky 
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4 
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LIMIT 5, 5 


LIMIT 15, 5 



LIMIT 10, 5 


LIMIT 5, 5 
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No problemo. We just need to write 
a bunch of queries with a different 
LIMIT on each one, right? 


Sort of. We need a different LIMIT depending on the 
page and link, but we can generate it instead of 
writing multiple queries. 

All we need to do is modify our build—query () function a little 
further to add the correct LIMIT at the end of the query it constructs. 
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Keep track of the pagination data 

In order to add the new pagination functionality to build—query () ， 
we need to set up and keep track of some variables that determine which 
search results to query and show on a given page. These variables are also 
important in determining how the navigation links at the bottom of the 
page are generated. 


$cur_j>age 

Get the current page, $cur—page ， from the script 
URL via $—GET. If no current page is passed through 
the URL, set $cur_page to the first page (1). 


$results_j>er__page 

This is the number of results per page, which you choose 
based on the look and feel of the page, and how many search 
results fit nicely on the page with the layout. This is where 
the second argument to the LIMIT clause comes from. 


$skip 

Compute the number of rows to skip before the rows on the current page 
begin, $skip. This variable is what controls where each page begins in 
terms of results, providing the first argument to the LIMIT clause. 


$total 

Run a query that retrieves all the rows with no LIMIT, 
and then count the results and store it in $ total. In 
other words, this is the total number of search results. 


$num_j>ages 

Compute the number of pages, $num—pages, using $total divided 
by $ re suits per page. So for any given search, there is a total of 
$ total matching rows, but they are displayed a page at a time, with 
each page containing $results—per—page matches. There are 
$num pages pages, and the current page is identified by $ cur—page. 
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setting up variables needed for pagination 


Setup the pagination variables 

Most of the pagination variables can be set up purely through 
information provided via the URL, which is accessible through the 
$_GET superglobal. For example, the $sort, $user_search, and 
$ cur—page variables all flow directly from GET data. We can then 
use these variables to calculate how many rows to skip to get to the 
first row of data, $skip. The $results_per_page variable is a 
little different in that we just set it to however many search results we 
want to appear on each page, which is more of a personal preference 
given the layout of the results page. 


the 

^u\r\rCht page, 
f 匕 u\r 一 page 
-P\rorw the 

URL via 与 £T. 

l-f s v\o 

匕 umhi page, 

set fVu\r__pagc 

■fco I. 


七 ^ sov*t ovdev*) 
y/V)i£.V) is nr\"tc^CV* 
*m tVic v-a^c I *to 


// Grab the sort /setting and search keywords from the URL using GET 
$sort = $_GET['sort']; 

$user search = $ GET[ 1 usersearch *]; ^ - 


^a\) the scav-dh sVmg 
that "the usc\r Chtcv-cd 
•mio the -Pov-m. 




// Calculate pagination information 



$cur_page = isset($_GET[ 1 page']) ? $_GET['page'] : 

$results per page =5; // number of results per page 


一 Pc-fauH: *to 

pay fay 

' iSh "t set 


I $skip = 

Sc*t number ^ 

v-csul*U pev" pay. 


($cur 


- 1 ) 


r $results_per_page); 

"the hurwbev* 0-(* 七 1^ 

*Pi\rs*t Vow oy\ the page, /skip. 


TK'is ^dl^uldi'ioy> vcsults *m O 
(or I, ^ (or 2 ., 10 


We’re still missing a couple of important variables: $ total and 
$num_pages. These variables can only be set after performing 
an initial query to find out how many matches are found in the 
database. Once we know how many matches we have, it’s possible 
to set these variables and then LIMIT the results... 
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Revise the query for paginated results 


Now that we’ve got our variables set up, we need to revise the Search 
script so that instead of querying for all results, it queries for just the 
subset of results we need for the page the user is currently viewing. This 
involves first doing a query so that the $ total variable can be set and 
the $num_pages variable can be calculated. Then we follow up with a 
second query that uses $skip and $results_per_page to generate 
a LIMIT clause that we add to the end of the query. Here’s the revised 
section of the search . php script with these new additions highlighted: 

你 y—- _hurh__\rowsO \rctuV-hS a 

o( how \nxBv\y "total V-ows 
we 代 \rctu\rhcd by the <^ U cv-y. 


TVis m v-cVicvcs all 
voy/s v/*i*bK LIMIT- 


// Query to get the total results 
$query = build_query ($use^^earch f $sort) 
$result = mysqli_que^y($dbc f $query); 
$total = mysqli num rows($result); 


S*to 代 away iht "total 

付⑽ with a dal I -to -the 

rwys 气 li 一 h__jr OWS () -Puh^tioh. 


$num_pages = ceil($total / $results_per_page ); 


// Query again to get just the subset of results 

$query = $query . " LIMIT $skip, $results—per—page 

^ ' 

$result = mysqli—query($dbc, $query); 
while ($row = mysqli fetch array($result)) 


Commie o-f pajes by aw.dmj Ual 

rov/s by number o\ results \>CV 

fay, 扣 dl \rour\d'm 5 uf i\\t result 

"The ^cilO -Puhd-fcioh \rouhds 
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Skip 仏 
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echo 

* <tr 

class="re 

SjUlts"> '; 

echo 

'<td 

valign= M t< 

pp" 

width 

echo 

'<td 

valign= M t|< 

op" 

width 

echo 

'<td 

valign= M ti< 

op" 

width 

echo 

'<td 

valign= M t! 

bp" 

width 

echo 

'</tr>'; 

V 



vc*tu\r^ 
*this \rov/s. 

'</td>'; 


'</td> 


echo '</table> 


Issue a scdor>d ^ucv-y, bu*t 

*tKis time L|A1|T *tKc 

VCSul*U *to duvvc^*t 
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creating the navigation links 


ftewcratG the page navigation links 

So we’ve set up some variables and built a new SQL query that returns a 
subset of results for the page. All that’s left to do is to generate the page 
navigation links for the bottom of the sarch results page: the “previous” 
link, numerical links for each page of results, and the “next” link. We 
already have all the information we need to put together the links. Let’s go 
over it again to make sure it’s clear how it will be used. 


$user 一 search 

Every page link still has to know what the 
user is actually searching for, so we have to 
pass along the search terms in each link URL. 

$num_j>ages 

We need to know how many pages there are 
in order to generate links for each of them. 


$cur 一 page 

The page navigation links are entirely dependent 
on the current page，so it’s very important that it 
get packaged into every link URL. 


$sort 

The sort order also factors into the pagination 
links because the order has to be maintained or 
else the pagination wouldn’t make any sense. 


OK, we know what information we need in order to generate the page 
navigation links, so we’re ready to crank out the PHP code to make it 
happen. This code could just be dropped into the search . php script, 
but what if we put it in its own custom function? That way the main script 
code that generates the search results can be much simpler, requiring 
only a single line of code to generate the page links — a call to to this new 
function, which we’ll call generate_page_links (). 

The only catch is that we don’t want this function to get called if there 
is only one page of results. So we need to do a check on the number of 
pages before calling the new generate—page—links () function. 

Here’s how we can perform the check and call the function, making sure 
to pass along the required information as function arguments: 

if ($num_pages >1) { 

echo generate page links($user search, $sort, $cur page, $num pages); 
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PHP& MySQL Magnets 

The generate—page—links () function is almost finished, but it’s missing a few pieces of code. Use 
the magnets to plug in the missing code and give Risky Jobs the ability to generate page navigation links. 

function generate—page—links($user 一 search, $sort, $cur—page, $num—pages) { 
$page links =''; 


// If this page is not the first page, generate the "previous" link 
if ( ) { 


$page_links '<a href='" . $—SERVER['PHP_SELF ， ]. 
'?usersearch=' . $user 一 search . 

'&sort=' . $sort . 


▼&page=' 

} 

else { 

$page links 




Tiic 1’mk app 

as a avvov/, as m ''< 


><-</a> 


)) 



// Loop through the pages generating the page number links 
for ($i = 1; $i <= $num pages; $i++) { 


if 


$page links . 


'.$ i ； 


$cur— page 


$cur_page 
$cur— page 
$cur_j>age 


% 


a 



else { 

$page_links • 二 
'?usersearch 
'&sort=' 

'&page=' 


<a href= M ' . $_SERVER['PHP_SELF'] 

.$user search . 


.$sort . 

.$i . ' M > 


.'</a>'; 


// If this page is not the last page, generate the "next" link 
if ( ) I 


$page_links ' <a href= M ' . $—SERVER['PHP_SELF']. 

'?usersearch=' . $user 一 search . 

'&sort=' . $sort . 

'&page=' . ($cur page +1) . '">-></a>'; 




else { 

$page links . 


^ The |*mk appedv-s as 

~ ^ a v-igh-fc a\r\row, ds w —> w . 


return $page links; 
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the completed generate_page_links() function 



PUP & MySQL Magnets Solution 

The generate—page—links () function is almost finished, but it’s missing a few pieces of code. Use 
the magnets to plug in the missing code and give Risky Jobs the ability to generate page navigation links. 

function generate 一 page—links($user 一 search, $sort, $cur—page, $num—pages) { 
$page—links =''; 

// If this page is not the first page, generate the "Previous" link 

$cur_page EdL) { 


$page_links .= '<a href= M ' . $_SERVER['PHP_SELF'] 

'?usersearch=' . $user—search . 

.$sort . — ^ - 


'&sort : 
'&page ： 


$cur page 


'x-</a> 




I^Vc still halve -fco pass 
alcmg the usc\r scav-^h 
data the sov-t 
o\rdc\r ih tdit\\ lihk URL. 


else { 

$page links .='<- 


^ 、 The k \^\o\as I'mk apfcav 

’ ； as a avvoy/, as m <■ 


// Loop through the pages generating the page number links 
for ($i = 1; $i <= $num pages; $i++) { 


if 


$cur_j>age 




$page links 


f f 


$i 


else 


/Wake suire pay lihk poihts 
ba^k -to -the same sdv-ipt - y/cVc 
just passing a di-Pfcv-cht pa^e 
w number y/iih lihk. 


$page—links . - 
'?usersearch= 


<a href= M ' . $_SERVER['PHP_SELF'] 

.$user search . 


'&sort : 
'&page ： 


$sort 


> 


.$i . ' </a>'; 



TV^c I'mk bo a 
spc6-f id fay is jus 七 
七 he pay \r\umbcv-. 

// If this page is not the last page, generate the "Next" link 
if ( 


$ cur—page < $num_peLges^J 


$page_links .= ' <a href= M ' . $_SERVER['PHP_SELF' 

'?usersearch=' . $user 一 search . 

'&sort=' . $sort . 

'&page=' . ($cur page +1) . '">-></a>'; 


else 


$page links 


.= ， -O 


/ 


The \\v\k appeals as 

a v*iglvt avvow, as \y\ w —> w . 


return $page links; 
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string and custom functions 


Putting together the complete Search script 

And finally we arrive at a complete Risky Jobs Search script that displays the 
appropriate search results based on the user’s search terms, generates clickable 
result heading links for sorting, paginates those results, and generates page 
navigation links along the bottom of the page. 


<?php 

// This function builds a search query from the search keywords and sort setting 
function build—query($user_search, $sort) { 

… 


return $search query; 


1/Vc^vc alv-eady buil*t 

so y\o v\ttA bo cvev-y 

I'mc -tKciv Code. Kcvc- 


// This function buildfe heading links based on the specified sort setting 
function generate soyt links($user search, $sort) 


return $sort links; 


// This function builds navigational page links based on the current page and 
// the number of pag^s 

function generate^^age links($user search, $sort, $cur page, $num pages) { 


return $page links; 


the so\rt o\rdc\r and scav-^h 

tha-t passed -thv-ough 
the URL as ^BT data. 


// Grab the sort setting anfiK search keywords from the URL using GET 
$sort = $_GET['sort']; 

$user_search = $—GET [ ' usersearch ' ] ; l^tializ^ variables 

/7 n ^ . , , . s\Ut well IViCm m 3 momCirrb 

// Calculate pagination information ^ ^ L | M | T 七 ^ W and bu.ld 


$cur_page = isset($_GET['page']) ? $_GET['page'] : 1; 
$results_per_page = 5; // number of results per page 
$skip = (($cur page - 1) * $results per page); 


^d^md-bion Imks. 


// Start generating the table of results 

echo ' <table border="0" cellpaddinq= M 2">' ; ^ , ,, 

Call the 3 ⑶ ewte 一 sortJmksO 

// Generate the search result headings 广 -to "the Irnks -Pov* the 

echo '<tr class= M heading n >'; tL 代 七 headings, av\d tc\\o -them. 

echo generate_sort—links($user_search, $sort); 
echo '</tr>'; 



Wav\(^ oi\) 
-tKcv-c^s w»OV-c! 



search.php 
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the final search.php 


The complete Search script continued... 


// Connect to the database 
require_once(*connectvars.php 1 ); 

$dbc = mysqli_connect(DB—HOST, DB—USER, DB_PASSWORD, DB—NAME); 


// Query to get the total results 
$query = build—query($user_search. 



$sort); 


$result = mysqli—query($dbc, $query); 
$total = mysqli_num_rows($result); 


Call "the build 一 que\ryO "to build 
the S 夕 L job ^ucv-y. 


$num—pages = ceil($total / $results_per_page); 

// Query again to get just the subset of results f 
$query = $query . " LIMIT $skip, $results_per_page"; 

$result = mysqli—query($dbc, $query); 
while ($row = mysqli—fetch—array($result)) { 


LIMIT dlausc 
y/e dv-ca*tcd *to <\ucv-y only 
d subset of job vcsul*U- 


echo 

'<tr class=’ 

'results M >'; 


echo 

'<td valign: 

= "top M 

width= 

n 20% n > 

echo 

'<td valign= 

= "top M 

width= 

n 50% n > 

echo 

'<td valign= 

= "top M 

width= 

n 10% n > 

echo 

echo 

'<td valign= 
'</tr> ’； 

= "top M 

width= 

n 20% M > 


echo '</table>'; 


row[* title' 


'</td> 


? substr($row['description 1 ] , 0, 100) 
row['state'] . '</td>'; 

substr($row['date_posted '], 0, 10) 

A^d hcv-c s the Code WC y/\rotc that thms 
dov/h -the job dcs^Hp-tioh a^d date posted 
us'mg the substmO 


// Generate navigational page links if we have more than one page 
if ($num_pages >1) { 

echo generate—page—links($user_search, $sort, $cur_page, $num_pages); 

} \ 

Call -the Imks() 

mysqli_close($dbc) ; io ^crait *thc 

. 1’mks, 七 tt\\o 

^ ,h 9 s "tidy by dosi% 

七 he 


'...</td>▼; 

</td>▼; 



Dumb Quest! 


ons 




Do we really have to pass the search, sort, and pagination 
information into generate 一 page—links () ? 


A 


Yes. And the reason has to do with the fact that well-designed 
functions shouldn’t manipulate data outside of their own code. So a 
function should only access data passed to it in an argument, and 
then only make changes to data that it returns. 




OK, so what about echoing data? Why doesn’t 
generate_j>age_links () just echo the links? 


A 


Same problem. By echoing data to the browser, the function 
would be effectively reaching beyond itself to make a change 
somewhere else. It's much harder to debug and maintain functions 
when it isn’t clear what data they change. The solution is to always 
return the data affected by a function, and then do whatever you want 
with the data returned by the function, outside of the function. 
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Tesr DriVq 


Finish the Risky Jobs Search script. 

Add the new generate_page_links () function to the search . php script, making sure to 
also add the code that calls it after checking to see if there is more than one page of results. Also 
create and initialize the variables used as arguments to the function. And don’t forget to update 
the query code so that it uses LIMIT to pull out the correct subset of results for each page. 

When all that’s done, upload the new search . php script to your web server, and then open the 
search . html page in a web browser. Try a few searches, making sure to search on some terms 
that will end up with lots of results so that the new pagination features kick in. For maximum 
result pages, do a search with an empty search form. 


non 


Ri'lcy ri,h 


Dck have Ihc guts go find ll? 


Risky jobs-Scurcti Results 



1 

SlJilt 

Uaip. K^siisd \ 

Mwador 

BusOiiagiDiiy inm Eoolf ing for p*H-EinK motodonci 
cDllcrLairi ipuntcd bull wi 111 iiul4£ caw A3l ALB3.— 

w 


PtipDmzzo 

T®p wlebjiL) 1 ptioicigmphiy fimi S&oking for seasoned 

paparazzo Iq ilJbISk Ecnip^niniciiEal lip'iyiicing pop— 

CA 〜 

^ 2005-03 Z4 

ShaA Ttniiwr 

Tminin^ sbasksio de cu[e sriclts forilic aud ienett ai 

our new »alcr Ehcmc pazk. Vaall sp^r-d lam … 

FL 



ThtCity flfDaiJvilk ii hiring fipefisluere. Nd 

cxpcn.'erjccd pdqu ircd _ you wEl Lnimcd. inao— 

OH 

200* M-22 

VdLi^sc Checker 

1 2 3 4 -> 

Yanll bfl QUt bufat field checking a£.and visages 

krtthe iMBe ail la ZSDojiTMrc valts. ¥— 

NC 

200^06-2* 


Download! It! 



Don’t forget, the complete source code for the Risky Jobs application 
is available for download from the Head First Labs web site: 

.headfirstlabs.com/books/hfphp 



B\TY)Csio has -Pouhd a job with 
the 3rwouh*t o-p irisk^ 
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Your PHP 备 MySQL Toolbox 

The Risky Jobs Search script required 
quite a few new PHP and MySQL 
techniques. Let’s recap some of the 
most important ones. 


LIKE 


Use Ll^E bo look -fov da-ta VrblVm 

S 公 L v/i*t^ou*b ^cdcssavily 

州 Pu 七 

3 % \ y \ -fvoir\*t ar\d/o\r 3 

scavdli -tcv-m *to lc*t LUnE khov/ 
i\\ai -tcvrn CSy\ have oi\\tr 
suvvou^dm^ i*t- 


a 


switch-case 

that allows y ou 仫 excite ohc 
Jiroups of code based oh a 

S ， 5 ，C V f luc - ^ youvsd^ 

a bu^h , C sicd i^ c |se 
也 Whts ，卜 ay A hd 似 
you ^ah code \i n，ovc c^idichily 
asa swi ^h siaic^i 7 


explode () r impl oc j e o 

C r p,odc0 

caks a s ^i h9 ih ^ ^ 

=' 十 ，— ihai ^ 

suL ^ by ' — h dcli ^ 

n c does W opposi-tc - 

严 , ds V 一如 3 

dtUmitY W 3 


str 一 replace () 

Call *tlVis PttP *to do a 

f md 一 and 一 veplade cm a sbr^ 
of *twt, oy\c £.Kav-a£.*tcv- 

ov St<\\AtY\U ^liav-a^-tcvs W\{\\ 

a^o^cv*. 

limit 


substr () 

TWis PHP fur\6*b。” c%*tv-a6*b a 
? ortio^ a 如 M based 广 

ar^mc^ts YOU suf\>lv *«t You 
arab *tV>C c\ a 如於少 

-t^C t^A a sVm 5 , or some ^\ttt 

m between. 



Cus-fcom -fu^dtion 

A dhur\k c^f PttP Code ov^hizjcd 
\v\bo a r\a^ed ； reusable padkaje- 
The idea is bo isolate Code that 
pcv-fovms a devtam task so -that 
i*t ddr\ be reused y/i*th m'mimal 
C-f-fo\rt dr\d Code duplida*tioh. 


TKc LIMIT clause lc*ts you tor>*brol 
t%aciYj V>o>w ma^Y \ro>ws avc 
rrbu\rr>ed by ar> S《L ^uevy* No*b 

o 心 仔 at, Wt L_T w sk? 

VOY/S *m *tv>c vcsul-t SC*t, all 。 賴 3 
you -bo isolate a subset <^f vcsulls. 
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10 regular expressions 


Rules for replacement ♦ 


Mrs. Blatt replaced the 
class hamster! Did she 
think we wouldiVt notice? 


String functions are kind of lovable. But at the same time, 

they’re limited. Sure, they can tell the length of your string, truncate it, and change 
certain characters to other certain characters. But sometimes you need to break free and 
tackle more complex text manipulations. This is where regular expressions can help. 
They can precisely modify strings based on a set of rules rather than a single criterion. 


this is a new chapter 
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risky jobs is getting bad data 


Risky Jobs lets users submit resumes 


Riskyjobs.biz has grown.The company now lets job seekers enter their 
resumes and contact information into a web form so that our Risky Jobs 
employers can find them more easily. Here’s what the form looks like: 


轎 AA _ 

RlsPcf J 上 

CkrgirldPim ^ 


In dddrtioh "fco 
hovrwoll ^Oh-tcl^-t 
ih-Po\rrn«|-tioh, a Risky 
Jobs Uhdidate must 
also Chtcv thciv 
desi\red job, as y/ell 
ols thciv- \rcsurwc- 


Kr^iaArutbu 



The r\cv/ Risky Jobs Rcjis-tv-atio^ 

-fov-m dllov/s job dd^dididoes *to e 的 *tcv 
about -themselves so 
po*terrbal employees -f md 



Our job seeker information is stored in a table that can be searched 
by employers, recruiters, and headhunters to identify potential new 
employees. But there’s a problem... the data entered into the form 
apparently can’t be trusted! 


ri r y^ ame:Four Angers 

^ ast Name.McGraw 

p !^ ，： f ^ r @9regs-listnet 
Phone: 555-098 

Desired Job: Knife Juggler 


First, I couldn’t get a ninja because his phone 
number is missing, and now my email to this knife 
juggler has bounced. I've pretty much had it with 
the bad data in the Risky Jobs resume bank. 


First Name: Jirnmy 
I ast Name: Swift 

SuJS@sim-u-duck.com 

Phone: 636 4652 
Desired Job: Ninja 


Q 


o 


Erwployc\rs cav\ scav-^h -the Risky 
Jobs ^hdidatc da-tabase av\d -thch 
people {jo possibly hive 
"therw... dssumih^ ehou^h 
ih-Po\rnf\3-(：ioh has bcch 


562 Chapter 10 
















regular expressions 



E%eftci$e 


Below is some of the code for the registration. php script, which displays and processes 
the user data entered into the form to register a new job candidate. Annotate what you think is 
wrong with the code, and how it could be changed to resolve the bad data problem. 


<?php 

if (isset($_POST['submit'])) { 

$first_name = $_POST['firstname']; 
$last_name = $_POST['lastname']; 
$email = $_POST['email *]; 

$phone = $_POST['phone']; 

$j ob = $_POST['j ob']; 

$resume = $_POST['resume']; 
$output_form = 'no'; 


if (empty($first—name)) { 

// $first_name is blank 

echo '<p class= M error">You forgot to enter your first name.</p> 1 ; 
$output_form = 1 yes 1 ; 

} _ 

if (empty($last_name)) { 

// $last_name is blank 

echo '<p class= M error">You forgot to enter your last name.</p>'; 
$output_form = 'yes'; 

} _ 

if (empty($email) ) { 

// $email is blank 

echo '<p class= M error">You forgot to enter your email address.</p> *; 
$output_form = 'yes'; 


if (empty($phone)) { 

// $phone is blank 

echo '<p class= M error">You forgot to enter your phone number.</p>'; 
$output—form = 'ye s'; 

} 一 

• • • ^ —- Coh*tihuih0 hoh— 

} job ircsurwc -fields. 

else { 

$output_form = 'yes'; 


if ($output form 


?> 


kr 


SV^oy/ -fov-m. 


'yes') { 
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exercise solution 



Below is some of the code for the registration. php script, which displays and processes 
the user data entered into the form to register a new job candidate. Annotate what you think is 
wrong with the code, and how it could be changed to resolve the bad data problem. 


<?php 

if (isset($_POST['submit'])) { 

$first_name = $_POST['firstname']; 
$last_name = $_POST['lastname']; 
$email = $_POST['email *]; 

$phone = $_POST['phone']; 

$j ob = $_POST['j ob']; 

$resume = $_POST['resume']; 
$output_form = 'no'; 


T\)t stvip*b tiicdks -fov cw'P'ty 
-fovm -f iclds) ^ood) 

some O-f *biic -fovm -f ields IlSVC 
move data must 

*to a tcvbam -fovmat 


if (empty($first—name)) { 

// $first_name is blank 

echo '<p class= M error">You forgot to enter your first name.</p>'; 
$output_form = 'yes'; ^ 

} ^ - T~hc\rc else we 

— ih \rcga\rd to -Piv-st By\d 

if (empty ($last_name) ) { lolst hames ； so this CoAt is -fihC- 

// $last_name is blank 
echo '<p class= M error">You 
$output_form = 'yes'; 

1 ， 

if (empty($email) ) { 

// $email is blank 


forgot to enter your last name.</p>'; 

email addv-css has a vevy sfcdi-fid 
forma 七 i\\ai wc should cr>-Pov-dc 

-fovm dd'bd -Pv-om USCV*. 


echo '<p class= M error">You forgot to 
$output_form = 'yes'; 

} _ 

if (empty($phone)) { 

// $phone is blank 

echo '<p class= M error">You forgot to 
$output_form = 1 yes 1 ; 

} 一 

〜 __ Cohtmuihg v^lidd'tih^ hoh—crup*ty 

j°b Ad \rcsurwc -fields. 


enter your email address.</p>'; 

Pou\r Pmjc^rs \t(i a dot oui 

o( his email addv-css -the tv\d - -the 
•Po\rrw should caic\) 七 hose kmd of cv-vov-s/ 

enter your phone number.</p>'; 

Same v/i*th a ^umbev- - *thc 

user’s -pov-m submission shouldn't be allowed 
unless we car\ be dev-ta'm *tha*t *thciv 
number IS \y\ {\\c dov-v-cd*t -PoV-ma*t. 


else { 

$output_form = 'yes'; 


if ($output_form == 'yes') { 


?> 

kr 


Show 如 -form. 


Jimmy £y/i-P*t 
didn't f\rovidc By\ 
a\rea todt wi*th 
his 

y/hidh *thc -form 
should ve 


l/Vhai wc v-cally y\ttd is a way -fco vcv-i-fy 
emdil dddv*csscs and ^urwbcv*s, "the 
two -fields ih -the -fov-rw iha-t hdve d 
spcdi-Pid. pov* "the fields i^s 

^ "to just make suve "they avc^^-t erwp-ty. 
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Why don’t we use some string 
functions to fix the bad data? 
Can’t we use str_replace() to 
add in the missing data? 


You can fix some data with string functions but they don’t 
help much when data must fit a very specific pattern. 

String functions are well suited to simple find-and-replace operations. For 
example, if users submitted their phone numbers using dots to separate 
the blocks of digits instead of hyphens, we could easily write some str_ 
replace () code to substitute in hyphens in their place 

But for anything that we can’t possibly know, like the area code of Jimmy Swift’s 
phone number, we need to ask the person who submitted the form to clarify. 
And the only way we can know that he’s missing an area code is to understand 
the exact pattern of a phone number. What we really need is more advanced 
validation to ensure that things like phone numbers and email addresses are 
entered exactly right. 


OK, but can’t we still use string 
functions to do this validation? 


O 


String functions really aren’t useful for more than the 
most primitive of data validation. 

Think about how you might attempt to validate an email address using string 
functions. PHP has a function called strlen () that will tell you how many 
characters are in a string. But there’s no predefined character length for data 
like email addresses. Sure, this could potentially help with phone numbers 
because they often contain a consistent quantity of numbers, but you still have 
the potential dots, dashes, and parentheses to deal with. 

Getting back to email addresses, their format is just too complex for string 
functions to be of much use. We’re really looking for specific patterns of 
data here, which requires a validation strategy that can check user data against 
a pattern to see if it’s legit. Modeling patterns for your form data is at the heart 
of this kind of validation. 
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define what your data should look like 


decide what your data should look like 


Our challenge is to clearly specify exactly what a given piece of form 
data should look like, right down to every character. Consider Jimmy’s 
phone number. It’s pretty obvious to a human observer that his number is 
missing an area code. But form validation isn’t carried out by humans; it’s 
carried out by PHP code. This means we need to “teach” our code how 
to look at a string of data entered by the user and determine if it matches 
the pattern for a phone number. 

Coming up with such a pattern can be a challenge, and it involves 
really thinking about the range of possibilities for a type of data. Phone 
numbers are fairly straightforward since they involve 10 digits with 
optional delimiters. Email addresses are a different story, but we’ll worry 
about them a bit later in the chapter. 



Ii ，s easy -Poir a hurrah -to 
look ahd see -tha-t Ji^^y 
4\rgo-t Vis airca Code, bu-t ho-t 
so ■trivial rhakihg the 
obsc\rvatioh W -Pv-orn PUP ^odc. 




0 



First Name: Jimmy 
Last Name: Swift 
Email: JS@sim-u-duck.com 
Phone: 636 4652 
Desired Job: Ninja 


tWeiare no o 

Dumb Questions 


I’m still not sure I see why I can’t 
just stick with isset () and empty () 
for our form validation. 

These two functions will tell you 
whether or not someone who submitted a 
form put data in a text field, but they won’t 
tell you anything about the actual data 
they entered. As far as the empty () 
function is concerned, there’s absolutely no 
difference between a user entering “(707) 
827-700” or “4FG8SXY12” into the phone 
number field in our form. This would be a 
huge problem for sites like Risky Jobs, which 
depends on reliable data to get in touch with 
job candidates. 


If isset () and empty () 
won’t work, can’t we simply have 
someone check the data after it goes into 
the database? 

You can, but by then it’s often too late 
to fix the bad data. If a phone number is 
missing an area code, we need to ask the 
user to clarify things by resubmitting the data 
in that form field. 

If you wait until later and check the data 
once it’s already in the database, you may 
have no way of contacting the user to let 
them know that some of their data was 
invalid. And since the user probably won’t 
realize they made a mistake, they won’t 
know anything’s wrong either. 


So, the best plan of action is to validate 
the users form data immediately when they 
submit the form. That way you can display 
an error message and ask them to fill out the 
form again. 

So then how do you decide whether 
the data the user entered is valid or not? 

That depends on what kind of data 
it is. Different types of information have 
different rules that they need to follow: 
what kind of characters they contain, how 
many characters they have, what order 
those characters are in. So you need to 
communicate those rules in your PHP code. 
Let's take a closer look at the rules 
governing phone numbers... 
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regular expressions 



Write down all the different ways you can think of to represent a 
phone number. 


What are some rules that are reasonable to expect your users to follow when 
filling out your form? For example, phone numbers should not contain letters. 

s ^ \rulc -fco -— ^ 

get you s-tav-ted- dould *msis*t oy\ \rulcs sudh Bs o^ly ar\(J[ dll 10 d^rts mus*t 

be ^\ay\ •fcojethev* 
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sharpen your pencil solution 



Write down all the different ways you can think of to represent a 
phone number. 


(弓弓弓）厶 3 厶一午厶弓 Z 


Spades, dasKes, vi^ivt 
lc-f*t favcr>*thcscs, and 
sometimes pcv-*iods dav> 
siiov/ uf>'m v>umbcv*s. 


1 七 、 cvch possible -to \uLdc letters 
•m a phohC hurwbev-, alihou^h this is 
the lirwi'ts o-f whd'k wc 

should Colder a valid hur^bev-. 


(弓弓弓)厶弘一午厶弓 2> 





拓弓厶3厶一午厶弓2> 


弓弓弓厶3厶一午厶弓 Z 


拓％%午沾 Z 


Weire S a v-ulc -to 
you s-tairted. 


一 的厶一 午厶弓 2* 


^ N\t NINJA 


What are some rules that are reasonable to expect your users to follow when 
filling out your form? For example, phone numbers should not contain letters. 

iVc 乙 ould *msis*t oy\ rules s\aCM Bs only diji*ts d^d dll 10 diji*ts rwus*t be 

\ru 灼 -boyt^cv- 


Wc *thc ^umbey* m*to *tWcc .f>.d ay-cd dodc^ oi^c 

^o\r -the ^i\rs*t *tWcc dibits, air\d *thc -f mal oir)C ^o\r *thc jas£ -fouy- dibits. 


0\r y/c dould *tcll the people -fillip ou*t "the -fo\rm *t^ci\r i^umbcv- 
mus*t look like ( 明弓 ) 石％ - 午沾 2>. |*t’s uf *to us *to make *t^C \rulcs. 


There are so many possible 
patterns. How can we make 
rules to cover all of them? 
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There are some things we know for sure about phone 
numbers, and we can use those things to make rules. 

First, they can’t begin with 1 (long distance) or 0 (operator). Second, there 
should be 10 digits. And even though some people might have clever 
ways to represent their phone numbers with letters, phone numbers are 
esentially numbers — 10 digits when we include an area code. 































regular expressions 


Formulate a pattern for phone numbers 

To go beyond basic validation, such as empty () and isset (), we need to 
decide on a pattern that we want our data to match. In the case of a phone 
number, this means we need to commit to a single format that we expect 
to receive from the phone field in our form. Once we decide on a phone 
number format/pattern, we can validate against it. 

Following is what is likely the most common phone number format in 
use today, at least for domestic U.S. phone numbers. Committing to this 
format means that if the phone number data users submit doesn’t match 
this, the PHP script will reject the form and display an error message. 


###-###-#### 



555-636-46521 

,7 

c— 5556364652 


555-636-4652 


This has 
"o ddshes. 


dasV^, 灼 e% 七 3 a 

dasK, a^d *tV^c 今 


636-46521 



This is missihj digits, 
a dhd 
dash that’s -thcv-c 
secies out J pla^c. 


TV^is ov\t ma*UiiCS ou\r 


thereiare no o 

Dumb Questions 


Do I have to use that pattern for 
matching phone numbers? 

That’s what we're using for Risky Jobs 
because it’s pretty standard, but when you’re 
designing your own forms you should pick 
one that makes sense to you. Just keep in 
mind that the more commonly accepted the 
pattern is, the more likely users will follow it. 

Couldn’t I just tell users to enter 
a pattern like ########## and then use 
PHP’s string functions to make sure the 
data contains 10 numeric characters? 


You could, and that would be sufficient 
if that was the pattern your users expected. 
Unfortunately, it's not really a very good 
pattern because most people don’t run their 
phone number together like that when filling 
out forms. It's a bit non-standard, which 
means users won’t be used to it, and will be 
less likely to follow it. 

So? It’s my pattern, I can do what I 
want, right? 

Sure, but at the same time you want 
your users to have a good experience. 
Otherwise they’ll quit visiting your site. 


OK, so couldn’t I use three text 
fields for the phone number: one for area 
code, then three digits in the second, and 
then the last four digits in the third. Then 
I could use PHP's string functions. 

Yes, you could, and some sites do 
that. But being able to match patterns gives 
you more flexibility. And matching patterns is 
useful for lots more things than just making 
sure your user enters the right pattern for 
a phone number, as you'll see later in this 
chapter. 
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introducing regular expressions 


Match patterns with regular expressions 

PHP offers a powerful way to create and match patterns in text. You can 
create rules that let you look for patterns in strings of text. These rules 
are referred to as regular expressions, or regex for short. A regular 
expression represents a pattern of characters to match. With the help of 
regular expressions, you can describe in your code the rules you want your 
strings to conform to in order for a match to occur. 


As an example, here’s a regular expression that looks for 10-digits in a row. 
This pattern will only match a string that consists of a 10 digit number. 

If the string is longer or shorter than that, it won’t match. If the string 
contains anything but numbers, it won’t match. Let’s break it down. 



丁 Wis farb is easy. AH 
c%fV"Css'ior\s bejm and end 
W\i\\ -Pov-y/av-d slashes. 



/ A \d\d\d\d\d\d\d\d\d\d$/ 


TV^c 6ava*b b> 
start a 七 * 、d stands -Pov- digit. The 

beyttc shc\^ dha\ra^cv- ih -the 

must be a digit -. 



V ) 

… and ot\t tV^csc 


This dollar s 咖 
says -tha-t the 
S'brmg rwus-t tv\d- 


same *biVnr^ *to look 
-fov- ar\o*bV^cv- 


There’s also a more concise way of writing this same regular 
expression, which makes use of curly braces. Curly braces are 
used to indicate repetition: 


/ A \d{10}$/ 



This mca^s -the same ds 
■the pa-ttev-h above. {/O} is a 
sho\rtha^d way -to say 10 diji-ts. 


Regular expressions 
are rules used to 
matek patterns in 
one or more strings. 
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Chapter 10 


regular expressions 



Yeah, regular expressions 
are really clear. About as 
clear as mud. 


■t’s true, regular expressions are cryptic and often 
difficult to read... but they are very powerful. 

Power often comes at a cost, and in the case of regular expressions, 
that cost is learning the cryptic syntax that goes into them. You won’t 
become a master of regular expressions overnight, but the good news 
is you don’t have to. You can do some amazingly powerful and useful 
things with regular expressions, especially when it comes to form field 
validation, with a very basic knowledge of regular expressions. Besides, 
the more you work with them and get practice breaking them down 
and parsing them, the easier they’ll be to understand. 
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common regex metacharacters 


Puild patterns using metacharacters 


Being able to match digits in a text string using \d is pretty cool, but if 
that’s all the functionality that regular expressions provided, their use 
would be sorely limited. Just matching digits isn’t even going to be enough 
for Risky Jobs phone number validation functionality, as we’re going to 
want to be able to match characters like spaces, hyphens, and even letters. 


Metackaracters let 
us describe patterns 
ol text witkin a 


Luckily, PHP’s regex functionality lets you use a bunch more special 
expressions like \d to match these things. These expresions are called 
metacharacters. Let’s take a look at some of the most frequently used 
regex metacharacters. 


regular expression. 


\d 


As you saw on the previous page, this metacharacter 
looks for a digit. It will match any number from 0 to 9. 
Keep in mind, on its own, \d matches just one digit, so 
if you wanted to match a two-digit number, you d need 


if you wanted to 
to use either \d\d or \d { 2 }. 


Looks for whitespace. This doesn’t mean just the space 
[aracter you get on the screen when you hit the Space 
ar，\s also matches a tab character, or a newline or 
carnage return. Again, keep in mind that \ s will only 
match one of these characters at a time. If you wanted 
to match exactly two space characters in a row you ， d 

need to use \ s \ s or \ s {2 }. 


The period metacharacter, matches any one 
character, except a newline. It’ll match a letter or 
digit, just like \w, as well as a space or tab, like 


s, 


\w 

Looks for any alphanumeric character—in other words 
either a letter or a number. It will match one character ? 
from the following: a-z and A-z (both uppercase and 
lowercase letters), as well as 0-9 (just like \d). 


We saw the caret metacharacter on the previous page 
as well. It looks for the beginning of a string, so you 
can use it to indicate that a match must happen at 
the start of a text string, rather than anywhere in the 
string. For example, the regex / A \d{ 3 } / will match 
the string “300 applications”，but not the string “We 
received 300 applications”. 


^ end of a stri ng. You can use this 
jmetacharacter with - to bookend your match, specifying 
exactly where it will start and finish. For example 广 \ 

5} \s\d{3}$/will match “Nanny 41 1 ”， butnot 
Nanny 411 is great 55 or “Call Nanny 411，，. 


These metacharacters are cool, but what if you really want a specific 
character in your regex? Just use that character in the expression. 

For example, if you wanted to match the exact phone number 
“707-827-7000”，you would use the regex /707-827-7000/. 
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regular expressions 


+ 


In 






Match each different phone number regular expression with the phone 
number that it matches. 


%gex 


String it m£ttc}ies 


/△\d{3}\s\d{7}$/ 


5556364652 


/ A \d{3}\s\d{3}\s\d{4}$/ 


555 636 4652 


/ A \d{3}\d{3}-\d{4}$/ 


555636-4652 


/△\d{3}-\d{3}-\d{4}$/ 


555 ME NINJA 


/ A \d{3}\s\w\w\s\w{5}$/ 


555 6364652 


/△\d{10}$/ 


555-636-4652 
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who does what solution 


ir + 

-- 

Match each of the phone number regular expressions with the phone 
number that it matches. 



\ This pattc\rh is all digits, so i-t 

匕 Ohly 3 phohC humbcv* 

with ho spaces o\r hyphens. 
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regular expressions 



BE . ^egul^r Ex? 贼細 

Your job is to play {he role of regular 
expression, and eitiier accept or reject phone 
numbers for Ri% Jobs users. Check Ae 

box of phone numbers that you 
deem valid, and leave tiie odiers 
uncliecl^ed. 加 notate why any 
invalid numbers are invalid. 



"This is the phohe 
humbeir ^cguldv- 
cxpv-cssioh - be \tl 


/ A \d{3}-\d{3}-\d{4}$/ 



□ (555) 935-2659 


(555)672-0953 



Su\r-Pihg t^y\ be 
hsky, especially 
whch you wov-k Bs 
piro^cssiohal shark ba\il 



555-441 -9005 555.903.6386 



555-343-8263 



555-612-8527-8724 
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be the regex solution 



BE . Regular E^rmfeti §©lug©ti 

Your job is to play Ae role of regular 
expression, and eitiier accept or reject phone 
numbers for Ri% Jobs users. Check Ae 

box of phone numbers that you 
deem valid, and leave tiie odiers 
undieeW. 加 notate ^iy any 

invalid numbers are invalid. Th,s ' s P hohC 

humbcir v-cgulav- 
cxpv-cssioh - be \il 



/ A \d{3}-\d{3}-\d{4}$/ 




□ (555) 


Pavcv>*thcscs avc^*t 
allov/ed ； 3ir>d 
y>c*i*thcv- avc spades. 

^35-2659 


(555)672-0953 




No pa\rchthcscs, please. 



555-441-9005 


OuV VC^uldV" 

c%fvcssio 灼 vc'uivcs 

dashes, r>o*t dots. 



555.903.6386 



555-343-8263 



W\\oa, the\re’s 扣 
cx-fcva -fouv* humbev~s 
Oh this OhC- |s that 
^ o((\U extehsioh? 


555-612-852 



J 
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regular expressions 



Sometimes people add additional digits to 
their telephone numbers, like a four-digit 
extension at the end. Is there any way 
we can match these patterns, too? 


Yes, but the key is to specify such a pattern as optional in your 
regular expression. 

If we changed our regex to / A d{3}-\d{3}-\d{4}-d{4}$/, we’d be requiring our 
string to have a four-digit extension at the end, and we’d no longer match phone numbers 
like “555-636-4652”. But we can use regular expressions to indicate that parts of the 
string are optional. Regexes support a feature called quantifiers that let you specify 
how many times characters or metacharacters should appear in a pattern. You’ve 
actually already seen quantifiers in action in regexes like this: 


/ A \d{10}$/ 


This says digit should 
show uf> 10 times m a v-ow. w 


Here, curly braces act as a quantifier to say how many times the preceding digit should 
appear. Let’s take a look at some other frequently used quantifiers. 


{min f max} 

When there are two numbers in the curly braces, 
separated by a comma, this indicates a range 
of possible times the preceding character or 
metacharacter should be repeated. Here we’re 
saying it should appear 2, 3, or 4 times in a row. 


or 


The preceding character 
metacharacter must appear 

one or more times. 


★ 


The preceding character or 
metacharacter must appear 

once or not at all. 


A quantifier 
specifies kow 
many times a 
metacliaracter 
skould appear. 


The character or metacharacter 

can appear one or more 
times... or not at all. 


So, if we wanted to match those optional digits at the end of our phone number, we 
could use the following pattern: 

/ A \d{3}-\d{3}-\d{4}(-\d{4})?$/ 


Suvvouhd the sc^-tioh 
the <\u«lh-ti-Pic\r applies 
"to ih pav-Chthcscs. 




The ^uCS*tio^ m3\rk makes 
-the Kypiic^ a 灼 d tKc last 

-pouv 灼 al. 
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using character classes 



You forgot one thing. 
U.S. phone numbers 
can’t begin with 0 or 1. 


You’re absolutely right. 0 connects you to an 
operator，and 1 dials long distance. 

We simply want the area code and number. We need to make 
sure the first digit is not 1 or 0. And to do that, we need a 

character class. 

Character classes let you match characters from a specific set of 
values. You can look for a range of digits with a character class. 
You can also look for a set of values. And you can add a caret to 
look for everything that isn’t in the set. 

To indicate that a bunch of characters or metacharacters 
belongs to a character class, all you need to do is surround them 
by square brackets, [ ]. Let’s take a look at a few examples of 


character classes in action: 


[ 0 - 2 ] 

This matches a range of numbers. It will 
match 0, 1， or 2. 

[A-D] 

This will match A, B, G, or D. 


1^ a ^hav-a^*tc\r c\ass, -the 

A w 七匕 

[ A b-f] 

This carat has a different meaning when it’s used 
inside a character class. Instead of saying, “the 
string must start with...”，the caret means “match 
everything except...” 

This will match everything except b, c, d, e, or f. 


A ckaracter class 
is a set oi rules 
lor matcltingf a 
single ckaracter. 


Write a regular expression that matches international phone 
numbers: 
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regular expressions 


Fiwe - time patterns with character classes 


With the help of character classes, we can refine our regular expression for 
phone numbers so that it won’t match invalid digit combinations. That way, 
if someone accidentally enters an area code that starts with 0 or 1, we can 
throw an error message. Here’s what our new-and-improved regex looks like: 




/ A [2-9]\d{2}-\d{3}-\d{4}$/ 

… 扣 d v/cVc lookmj (or …* followed by 丄 

•Uo move a» 5 »*b ^ th\rcc mov-c - dasV^ the 

be value -fvom 0—digits.... Ias*t t 


s ouv* 


TV^c tlass sa J 

Jf .vst evader must be 

球 W 2 ^' vc . 



T\\t A av\d f sfeti-fy ouv rty% 

mus-t c^omfass wiiole it%i 
s*bv*nr\^ y/cVc 1^ o^CV* 

y/ov-ds, *biic s-tv'm^ 6 扣’七 3r\y 

o-tVicv 乩 ava 乙 tevs i\\ai Aor!i belong 
*to *bV^C pilose r\umbcv-. 


tJieretare no o 

Dumb Questions 


So character classes let you specify a range of characters 
that will match the text string. 

Yes, a character class lets you specify in your regular 
expression that any member of a specified set of characters will 
match the text string, instead of just one. 

For example, the character class [aeiou] will match one 
instance of any lowercase vowel, and the class [m-zM-Z] will 
match one instance of any letter in the second half of the alphabet, 
lowercase or uppercase. 

And the character class [0-9] is equivalent to the metacharacter 
\d, which is really just a shorthand way of saying the same thing. 

Don’t I need to put spaces or commas in between the 
characters or ranges I specify in character classes? 

No, if you do that, those extra characters will be interpreted as 
part of the set of characters that should match the text string. 

For example, the character class 

[m-z, M-Z] 

would match not only uppercase and lowercase letters from m to z, 
but also a comma or space, which is probably not what you want. 


What if I want to match a character in a character class 
more than once? Like one or more vowels consecutively. 

Just add a quantifier after the character class. The expression 
/ [aeiouAE 工 OU ] + / will match one or more vowels in a row. 

Q/1 thought quantifiers only applied to the character that 
immediately preceded them. 

Usually that’s the case, but if a quantifier directly follows a 
character class, it applies to the whole class. 

And if you want to make a quantifier apply to a whole series of 
characters that aren't in a character class, you can surround these 
characters with parentheses to indicate that they should be grouped 
together. As an example, the regular expression / (hello) +/ 
will match one or more consecutive instances of the word "hello" in a 
text string. 

vJ I What if I wanted to match two different spellings of a word, 
like “ketchup” or “catsup ”？ 

• You can use the vertical-pipe character (|) in your regular 
expressions to indicate a set of options to choose from. 

So, the regular expression / (ketchup | catsup | catchup) / 
will match any one of the three most common spelling variants of the 
word. 
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escaping reserved characters 



O 



What about putting characters like periods or question 
marks in a regular expression. If I type those in, won’t PHP 
think they re metacharacters or quantifiers and screw up 
processing my regex? 



If you want to use reserved characters in your regular 
expression，you need to escape them. 


In regular expression syntax, there are a small set of characters that are given 
special meaning, because they are used to signify things like metacharacters, 
quantifiers, and character classes. These include the period (.)，the question 
mark (?), the plus sign (+)，the opening square bracket ([), opening and closing 
parentheses, the caret ( A ), the dollar sign (S), the vertical pipe character (|), the 
backslash (\), the forward slash (/)，and the asterisk (*)• 

If you want to use these characters in your regular expression to signify their 
literal meaning instead of the metacharacters or quantifiers they usually 
represent, you need to “escape” them by preceding them with a backslash. 


For example, if you wanted to match parentheses in a phone number, you 
couldn’t just do this: 

T)icsc v/»ll simply kc 

厂 -treated I'»kc a y 叶 

(555)636-4652 X / 八 （ \d{3”\d{3}-\d{4}$/ 


Instead, both the opening and closing parentheses need to be 
preceded by backslashes to indicate that they should be interpreted as 
actual parentheses: 


(555)636-4652 



(Vfow PttP kr^oy/s 

av-c literal v>av-cr\*t^cscs. 

/ A \(\d{3}\)\d{3}-\d{4}$/ 
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regular expressions 



E%eftci$e 


Come up with a string that will match each pattern shown. 


/ 八 [3-6] {4}/ / A ([A-Z]\d){2}$/ 


Suppose we want to expand the Risky Jobs validation scheme for phone numbers to allow users to 
submit their numbers in a few more formats. Write a single regular expression that will match ALL of 
the following text strings, and won’t allow a 0 or 1 as the first digit. Your pattern should only allow digits, 
parentheses, spaces, and dashes. 

555-636-4652 555 636-4652 

(555)-636-4652 (555) 636-4652 
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exercise solution 



Come up with a string that will match each pattern shown. 


mus*t 

3 *tWou 吵石 … 扣 dl repeal i\\ai 
/ 广 dhav-ad*tcv- dlass 

|4 - 匕 -fou\r times. 

/ 八 [3-6]{4}/ 


r»\us*t 
be^'m with... 



By\ uppercase 

lc*btcv ■… s 






/ 八 （ [A-Z]\d){2}$/ 


A^y *tha*t s*ta\rts W\{\\ -fou\r diji*ts *m *tlic 

午 ， $ o\r 厶 v/ill ma*t^iv These will dll 

^r f {{ Z^ is a 仙 mb 饮 ' 、艰 


A^y s-tvmj s*ta\rts W\{\\ By\ uppc\rdasc 
lc*t*tc\r Bv\d d diji*t Br\d 扣 o*the\r 

uppev-dase lc*t*tcv by\A digit a^d the 的 c^ds ： 

w B^cr, w R2.pr 


Suppose we want to expand the Risky Jobs validation scheme for phone numbers to allow users to 
submit their numbers in a few more formats. Write a single regular expression that will match ALL of 
the following text strings, and won’t allow a 0 or 1 as the first digit. Your pattern should only allow digits, 
parentheses, spaces, and dashes. 

555-636-4652 555 636-4652 

(555)-636-4652 (555) 636-4652 


Stvmj mus*t 

bqm y/rtiv- 工 tWou# 1 … Wc- 


a hyphen ov- a spade-■ 

V 


a^o*thc\r 

hyphen 




d 的 d a diji-t, 

-fouv times— 


A \(m-V\d{i}\^c-\s3\d{i}-\d{ ls r}i / 

T / T 


如 optiohal ope h 

P^^hthesis, whW wy 
a PP C ^ ^ ov / tir.es... 


d^d d 

dlijit-- 


dr\ optional 乙 lose 
pavc^'t^csis... 


dv\d d d 、 少 t’ 

tWcc Wes. 


扣 d "the 的 

ad- 
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regular expressions 


IVe pretty much had it with the bad 
data in the Risky Jobs resume bank. 
What good do these expressions do 
me if we doiVt use them in some way? 


Risky Jobs needs to put 
regular expressions to 
work validating form data! 
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the php preg_match() function 


Check for patterns with prcg^matchO 

We haven’t been developing patterns just for the fun of it. You can use 
these patterns with the PHP function preg_match () . This function 
takes a regex pattern, just like those we’ve been building, and a text string. 
It returns false if there is no match, and true if there is. 


preg— match($regex, 

y o uv- ^ocs licvc- Tiic -fur\dtior\ ^ 

a s*tv"m5> 

should be su\rvour\dicd by quotes. 


$my 


•fov 3 rwaikh goes 


Here’s an example of the preg_match () function in action, using a 
regex that searches a text string for a four-character pattern of alternating 
uppercase letters and digits: 


1/Vh ⑶ ircjc^cs avc passed -to pveg^atdhO, 

^ "they should be e^£.losed m Quotes. 

preg_match( 1 / A \d{3}-\d{2}-\d{4}$/ 1 


r 


RcW^s av\ I i-f i\\t 

*tKc pa*t*tc^rr>> 
a^d 0 "i-f i*t doesv/ 七 . 




You dah put -the actual pa-tti 
■Bjc -fuhdtioh like this, bu-t us 
•’七 s "to ik \ 。 


CVh ih 
bu*t usually 


f 555-02-9983 f ) 

Tins s*br’m 3 ma'ttiics 

arJ i\\t v/ill 

\rc*tuvr\ I- 


We can take advantage of the preg_match () function to enable more 
sophisticated validation functionality in PHP scripts by building an if 
statement around the return value. 


is y\cs*tcd m "tKc 6or\di 七 io 的， 
so its vcsul*t dc*tcv-m'mcs 
>wKa*t todt W\W 


VUh. 


if (preg—match( 1 / A \d{3}-\d{2}-\d{4}$/ f , 1 555-02-9983 1 

echo 1 Valid social security number. f ; 


else { 
echo 



l*P the rwatdh is suddess-ful, 
p\rcgL_ma-UhO \rctu\rhs tv-uc, whi 匕 h 

sidles h> PHP that the dohdiiioh 

is *t\ruc- -So ； "this 6-odc is \ruh. 

That social security number is invalid! 1 ; 


t |<f 七 ^ ^aieM is Yxoi sUUssQ, 

\rdvr\s -false, yn\\\cM 
makes ^or\di*tioir\ evaluate *to 
-false. So, 七 his 匕 ode is \ru 於 . 
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regular expressions 



E%eftci$e 


Rewrite the highlighted portion of the Risky Jobs PHP script for checking the Registration form 
data below to validate the text entered into the phone field using preg—match () instead of 
empty () ■ Use the regex you created earlier in the preg match () function. 


if (empty($phone) ) { 

// $phone is blank 

echo 1 <p class= TT error n >Your phone number is invalid.</p> ! ; 
$output—form = 1 ye s 1 ; 

} 
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exercise solution 


參 
§0( 


(u：tSe 

tytiOH 


Rewrite the highlighted portion of the Risky Jobs PHP script for checking the Registration form 
data below to validate the text entered into the phone field using preg—match () instead of 
empty () ■ Use the regex you created earlier in the preg match () function. 


if (empty($phone) ) { 

// $phone is blank 

echo 1 <p class= n error n >Your phone number is invalid.</p> 
$output form = f yes 1 ; 


Instead of wc use a pv-cg^moi-Uh 

"to validd'ke the phohe ^urwbcv-. IVc pvedede it 

with the opc\ra-tov 0 ), bemuse we waht -to 

thvow ah C\r\ro\r whchcvcv- the data 〆 Ouv hurwbev- \re^ulav* 

Doesn’t -the patt c\nr>. cxpvcssioh -fvorw bc-fovc. 

if fpho^)) { 

The tc\\o heeds -to be 乙 harmed d 
bit, s\v\Ct wcVc ^o-fc ohly 

.PK?*??. ,s . i b° IS d 

fou*tpu*t_-foV-m — yes^； ^\)OY\C humbc\r pat-tc\rh. 


// fphobic is »^o*t valid 


Wc set foutput -fov-m 
Y^ s ) Jus*t ds bc-Po\rc- 


I got an error and 
then entered my entire 
phone number. And 
then I got a ninja job! 


o 




First Name: Jimmy 
Last Name: Swift 
Email: JS@sim-u-duck.com 
Phone: (555) 636 4652 
Desired Job: Ninja 


if . 
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regular expressions 




Tqst DriVq 


No 七 jus*t emf 切 

^\\oy\C. r\umbcv"sf 


Check for valid phone numbers in the Risky Jobs Registration script. 


Download the registration . php script from the Head First Labs site at www. 
headf irstlabs . com/boo ks/hf php, along with the Risky Jobs style sheet (style . css) 
and images (riskyj obs_title . gif and riskyj obs_f ireman . png). Then modify 
the registration . php script so that it uses the preg—match () function to validate 
phone numbers against the phone number regular expression. Make sure to tweak the error 
message so that users know the phone number is invalid, not just empty. 


Upload the changed script to your web server, and then open it in a web browser. Try entering 
a few phone numbers with varying formats, and notice how the script catches the errors. 



Now we can’t accidentally 
enter bad phone numbers. 
That should keep us from 
missing job opportunities! 


hulqukkfv 
hn« anwhlPij. I 
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the php preg_replace() function 


Hmm. If our regex matches multiple patterns for 
the phone number, isn't the text going to be in all 
different formats in our database? Thafs not good. 
I think we need to standardize this stuff. 



Just because you’re permitting data to be input in all 
different formats doesn’t necessarily mean you want your 
data stored in all those formats. 

Luckily, there’s another regex function that’ll let us take the valid phone number 
data submitted by Risky Jobs’s users and make all of it conform to just one 
consistent pattern, instead of four. 

The preg_replace () function goes one step beyond the preg_match () 
function in performing pattern matching using regular expressions. In addition 
to determining whether a given pattern matches a given string of text, it allows 
you to supply a replacement pattern to substitute into the string in place of the 
matched text. It’s a lot like the str—replace () function we’ve already used, 
except that it matches using a regular expression instead of a string. 


preg 一 replace($pattern r $replacement r $my_string) 

一 / } 一少 

/ wc -fmd av\ y The 叫 weW doi 

the -fihd-j 

"to tuvn i 七 nvfco this. 


Wlc r\tt& *to -f md 


>ihg 

■^hd-ircpla^ -to. 


Here’s an example of the preg—replace () function in action: 


$new year = preg replace ( 1 /200[0-9] / 1 , 1 2010 1 , 1 The year is 2009. 1 ) 


^csul-t of -the 

is Co^\ti t) is 

stored ih 


/ 

Tills *tclls 

*to look 

-fov a -fov 2-000 

■tKvou^ii 2-0O 6 ). 


d is 

-fouK>d ； it v/ill be 
\rcpladcd wrth ZOlO. 



Ev^ry iime a ycav- “。你 
2-000—2-00 6 } is -fouhd 
•m ou\r stvihj, it will be 
^rcfla^cd by lOlO. 
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regular expressions 


■ 


Standardize the phone number data entered into the Risky Jobs form by writing in each of the 
following numbers in the phone column of the database table below. Make sure to use a format 
that stores as little data as possible to represent a user’s phone number. 






(555) 935-2659 


(555)672-0953 


555-343-8263 


555-441-9005 


555.903.6386 


555-612-8527-8724 
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exercise solution 


gotlitlOH 


Standardize the phone number data entered into the Risky Jobs form by writing in each of the 
following numbers in the phone column of the database table below. Make sure to use a format 
that stores as little data as possible to represent a user’s phone number. 


( 555 ) 935-2659 


( 555 ) 672-0953 


555 - 343-8263 


555 - 441-9005 


555 . 903.6386 


555 - 612 - 8527-8724 


T\\t v/ay "to 

s*tov-c a ^\\oY\t 
*is b> out 

but 




KijIVJ 5 热 - 





Dinfltff Ytiur jm- |&li la 
Qii ^qi# tiave Ihv Wnd Hr 

Bbkj Jobs- 

R.tglShM 1 wufll Klfiky JDbl-SBd pQH ^jr 

Fiisl XiiTU；: 
l^istNamG ： 
linuol ： 


DCSJCd M >： 


Paste >~our rcsttmc Ikic 


phone 
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regular expressions 


Standardize the phone number data 

Right now，Risky Jobs is using the following regular expression to validate 
the phone numbers users submit via their registration form: 

/ 八 \(?[2-9]\d{2}\)? [- \s]\d{3}-\d{4}$/ 


This will match phone numbers that fall into these four patterns: 




###■###■#### 


### ###■#### 


(###)-###■#### 
(###) ###■#### 


While these formats are easily interpreted by people, they make it difficult 
for SQL queries to sort results the way we want. Those parentheses will 
most likely foil our attempts to group phone numbers by area code, for 
example, which might be important to Risky Jobs if we want to analyze 
how many of the site’s users came from a specific geographical location. 

To make these kinds of queries possible, we need to standardize phone 
numbers to one format using preg_replace () before we INSERT 
data into the database. Our best bet is to get rid of all characters except 
numeric digits. That way, we simply store 10 digits in our table with no 
other characters. We want our numbers to be stored like this in the table: 


We want to reformat 
our data from this... 


.to this. 


########## 


This leaves us with four characters to find and replace. We want to find 
and remove open and closing parentheses, spaces, and dashes. And we 
want to find these characters no matter where in the string they are, so we 
don’t need the starting carat ( A ) or ending dollar sign ($). We know we’re 
looking for any one of a set, so we can use a character class. The order of 
the search doesn’t matter. Here’s the regex we can use: 






s 


dlosm^ favc^csis da$K 


sp 故 


Stamtardizingf 
your data gives 

you tetter SQL 

cjuery results. 
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stripping characters with preg_replace() 


fret rid of the unwanted characters 


Now that we have our pattern that finds those unwanted characters, we 
can apply it to phone numbers to clean them up before storing them in 
the database. But how? This is where the preg_replace () function 
really pays off. The twist here is that we don’t want to replace the 
unwanted characters, we just want them gone. So we simply pass an 
empty string into preg_replace () as the replacement value. Here’s an 
example that finds unwanted phone number characters and replaces them 
with empty strings, effectively getting rid of them: 




s-tov-c v-csul-b o-f o\ay 
(Y\t^j numbev- variable. 

$new_phone = preg 一 replace(▼/[\(\)\-\s ]/ 、 


Pc\r-Po\rm -this 

七 he "tex 七 ih fpliohC- 


Oh 


$phone) 


^av-a^tev-s... 


..如 d 代 pUe them 

with Cmp-ty s-fcHhg. 


###■###■#### 


### ###■#### 


(###、■###■#### 

(###) ###■#### 




All o*P these J>hohC hurwbev -Povma-ts 
^ ^ohsidc\rcd valid ； av\d av~e 

by the Rcgis-t\ra-(：ioh -PoVrn 



Ja 




phone 


5559352659 


5556720953 


5553438263 


5554419005 


5559036386 


5556128527 




preg replace() 


########## 


1 
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nurwbev is s*t3r>d3v~diz^d 
•m*to *Biis -foVn«a*t so 
^\\oY\t numbers all ar> id ⑼ *b 匕 al 
■foVw'3*b d3"t3lt)3sc* 
















regular expressions 


I don’t know, it seems kinda like overkill 
to worry about having 10 digit strings in 
our database. Couldn’t we just insist that 
users type that in in the first place? 


Sure, but it would end up causing problems later since 
phone number queries won’t work as expected. 

Most users are accustomed to entering phone numbers with some 
combination of dashes (hyphens), parentheses, and spaces, so attempting 
to enforce pure numeric phone numbers may not work as expected. It’s 
much better to try and meet users halfway, giving them reasonably flexible 
input options, while at the same time making sure the data you store is as 
consistent as possible. 

Besides, we’re only talking about one call to preg_replace () to solve 
the problem, which just isn’t a big deal. If we were talking about writing 
some kind of custom function with lots of code, it might be a different story. 
But improving the usability and data integrity with a single line of code is 
a no-brainer! 
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test out registration.php 




Tesr DriVq 


Clean up phone numbers in the Registration script. 

Modify the registration . php script to clean up phone numbers by adding 
the following lines of code to the script, right after the line that thanks the user for 
registering with Risky Jobs: 

$pattern = '/ [\ (\)\-\s]/▼; 

$replacement = *'; 

$new_phone = preg_replace($pattern, $replacement, $phone); 

echo 'Your phone number has been registered as ' . $new—phone . '.</p>'; 

Upload the script to your web server, and then open it in a web browser. Fill out the 
form, making sure to enter a phone number with extra characters, such as (707) 827- 
7000. Submit the form and check out the results. 


AOiQ 




Risky Jobs - Registration 


J 


•迪 


Dsrigtfl Y*uf Is- unit thfife, 

Du yuu liave the guts to go HrnJ it? 

Risky lobs - Registration 

Howard Soarston, for ^gistcriflg 

Your phnnfimiinhcr re£i 伽 ㈣ 




"The phohC 
is ^v-uh^hed 
dowh -to just the 
humbev-s - ho 


Try out a few other variations on the number, like these: 707.827.7000, (707)-827-7000, 
707 827-7000. Notice how the regular expression and preg_replace () get rid of 
the extra characters. 
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regular expressions 


o 


0 


xm _ 


My email to this knife juggler just bounced. 
I can’t believe this stupid form lets people 
enter email addresses that dotVt even work! 


Desired Job: Knife Juggle 


r 1 ■ Uc email 

addv-css is 
missiy^ d 
fCV"iodf 


Similar to phone numbers, email addresses 
have enough of a format to them that we should 
be validating for more than just being empty. 

Just like with validating phone numbers earlier, we first need to 
determine the rules that valid email addresses must follow. Then 
we can formalize them as a regular expression, and implement 
them in our PHP script. So let’s first take a look at what exactly 
makes up an email address: 



email addwscs 
tor.lam tKcsc -tv/o cMaratitrs. 


LocalName^ DomainPrefix. DomainSuffix 

\ 弋 

These will toy\ia\v\ wheve ^ TWis is usually 

LodalKa^c is at least ohc 、 al^a^umc^nd 

Dorhaihpirc-Pix is at least iv/o 6ha\r^6ieys. graders. 





See if you can come up with a regular expression that 
is flexible enough to match the email addresses to the 
right. Write it below: 
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a regex for email addresses 


Matching email addresses can be tricky 

It seems like it should be pretty simple to match email addresses, 
because at first glance, there don’t appear to be as many restrictions on 
the characters you can use as there are with phone numbers. 


For example, it doesn’t seem like too big of a deal to match the 
LocalName portion of an email address (everything before the @ sign). 
Since that’s just made up of alphanumeric characters, we should be 
able to use the following pattern: 


/ A \w+/ 



S"ta\rts witli.. 


... 0 y>c ov 祕 t 

cravat 七 evs. 


This would allow any alphanumeric character in the local name, but 
unfortunately, it doesn’t include characters that are also legal in email 
addresses. 

Believe it or not, valid email addresses can contain any of these 
characters in the LocalName portion, although some of them can’t be 
used to start an email address: 



^11 




*bV\c 


U^alKamc ?art 
email addvcss. 



I ~ # % 




If we want to allow users to register that have email addresses containing these characters, 
we really need a regex that looks something more like this: 


/ A [a-zA-Z0-9] 

t 

f.vst cMaratitr ^ould 
be o-f 


[a.-zA—Z0"9\ . \_&! ?=#]*/ 

k 一 夕 

The \rcs*t o( 

tharatitrs ta^ be …如 d we $ k 

a^yo^ 从仪 … 饮⑽代 J th. 


This won^ match every single valid LocalName^ as we 5 re 
still skipping some of the really obscure characters, but it’s 
very practical to work with and should still match the email 
addresses of most of Risky Jobs users. 
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regular expressions 



This email stuff is easy. We just use the 
same pattern we used for the local name 
to validate the domain name... no big deal! 


That would work for part of the domain, the prefix, 
but it wouldn’t account for the suffix. 

While the domain prefix can contain pretty much any combination of 
alphanumerics and a few special characters, just like the LoccdMame, the 
restrictions on domain suffixes are much more stringent. 

Most email addresses end in one of a few common domain suffixes: 

.com, . edu, . org, . gov, and so on. We’ll need to make sure email 
addresses end in a valid domain suffix, too. 


thereicire no ^ 

Dumb Questions 


What if I want to allow every possible valid email address? 

You can, and if it makes sense for your web site you certainly 
should. But sometimes it's best to take commonly accepted formats 
and not necessarily accept every possible variation. You need to 
decide what 99.9% of your users will have as their emails and be 
willing to not validate the remaining .1% simply for the sake of more 
streamlined code. Validation is really a trade-off between what’s 
allowed and what is practical to accept. 

If you do want to implement more robust email validation on your 
site, you can find some great open source (i.e., free) PHP code here: 
http://code.google.eom/p/php-email-address-validation/. 


Won’t people get angry at me if they have an email 
address I refuse to validate? 

Possibly, but most people willl not have crazy email addresses. 
Most online email services have their own restrictive rules that keep 
users from creating crazy, although valid, email addresses like: 

crazy" @gregs-list. net. 

Valictation is of ten a trade-oil 
between wliat’s allowed amt 
wkat is practical to accept* 
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matching domain suffixes 


Vomm suffixes arc everywhere 


In addition to super-common domain suffixes that you see quite frequently, 
like . com and . org, there are many, many other domain suffixes that 
are valid for use in email addresses. Other suffixes recognized as valid by 
the Domain Name System (DNS) that you may have seen before include 
.biz and . info. In addition, there’s a list of suffixes that correspond to 
different countries, like . ca for Canada and . t j for Tajikistan. 

Here is a list of just a few possible domain suffixes. This is not all of them. 



O 





Some of those domains are only two letters 
long. Some have 2 or 3 letters, and a period 
and then two or three letters. Some are even 
4 and 5 letters long. So do we need to keep a 
list of them and see if theres a match? 



We could do that, and it would work. 

But there’s an easier way. Instead of keeping track 
of all the possible domains and having to change 
our code if a new one is added, we can check the 
domain portion of the email address using the 
PHP function checkdnsrr () . This function 
connects to the Domain Name System, or DNS, 
and checks the validity of domains. 


u 


6ee} BifS 


The Domain Name 
System is a distrubuted 
data service that 
provides a worldwide 
directory of domains 
and their IP addresses. It 
makes the use of domain 
names possible. Without 
DNS, we’d be typing 
208.201.239.36 instead of 
oreilly.com. 























































































































































regular expressions 


Use PHP to check the domain 

PHP provides the checkdnsrr () function for checking whether a 
domain is valid. This method is even better than using regular expressions 
to match the pattern of an email address, because instead of just 
checking if a string of text could possibly be a valid email domain, it 
actually checks the DNS records and finds out if the domain is actually 
registered. So, for example, while a regular expression could tell you that 
lasdj lkdf salkj af . com is valid, checkdnsrr () can go one step 
further and tell you that, in fact, this domain is not registered, and that we 
should probably reject sdfhfdskl@ lasdj lkdf salkj af . com if it’s 
entered on our registration form. 

The syntax for checkdnsrr () is quite simple: 


RcWns I ^ a real do^am 

ov- 0 i-f its hot 


\ 



a doma'rn This is 
cvcv-ythmg a-ftev- -the & siy. 


checkdnsrr( f headfirstlabs.com 1 ) 




If you’re running PHP on a Windows server, 
this command won’t work for you. 

Wfltcll \t\ l ns t ea d ， y° u can use this code: 

function win_checkdnsrr($domain f $recType='') 
if (!empty($domain)) { 

if ($recType=='') $recType= M MX M ; 

exec("nslookup -type=$recType $domain",$output); 
foreach ($output as $line) { 
if (preg_match( M / A $domain / n , $line)) { 

return true; 


return false 


return false; 


TVis is ohly issue i-P you\r web sc\rvcv* 
is iVihdows. youVc a W\v\do^s 

■ -to build youv- web site, but 

youYe a^ually fostmg \i h> a WWI〆/ 
L’mux sc\rvc\r, thch this is ^oi a problem. 

XW»s c%c6 tails 

avx octcv^al 

-tV\C domam. 

Just ^OV- f ImC just 

七 he WatK. You II see somc*tK»^ like 

ovc.llY^om ma.l =• 2-0 加切 I. 

OV-CiIIy 
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email validation in five steps 


Email validation: putting it all together 

We now know how to validate both the LocalName portion of an email 
address using regular expressions, and the domain portion of an email 
address using checkdnsrr () . Let’s look at the step-by-step of how 
we can put these two parts together to add full-fledged email address 
validation to Risky Jobs’s registration form: 



Use preg_match () to determine whether the LocalName portion of our email 
address contains a valid pattern of characters. 

We can use the following regex to do so: 

/ A [a-zA - Z 0 - 9 ] [a •- zA - ZO — 9 \• \ —&!? = #]*@/ 



Ko-tc -tKa-b y\o 

(jiolldv* s\(y\ a*t *tV»c cr\d 
tWis v-cy%, as 

will be ^av-ad-tev-s 


The email must s-bv-t Wi-th ah 

a^d ^ 

^Ohtaih humbeir o( alphahu — 。 

ahd “七 •… special 


TWis well also stareM (or 
an a 七 symbol (@)> "to make suv*c 

ouv- end'll addv-css CoY\ia\v\s ov\t 
bc-fovc *tV)C domam. 



If validation of the LocalName fails, echo an error to the user and reload the form. 



If validation of the LocalName succeeds, pass the domain portion of the text string 
users submitted to checkdnsrr (). 



If checkdnsrr () returns 0, then the domain is not registered, so we echo an error 
to the user and reload the form. 



If checkdnsrr () returns 1, then the domain is registered, and we can be fairly 
confident that we’ve got a valid email address. We can proceed with validating the rest 
of the fields in the form. 
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regular expressions 



E%^RciSe 


Below is new PHP code to validate users’ email addresses, but some pieces have disappeared. 
Fill in the blanks to get the code up and running. 


if (!preg_match(* ' , $email)) { 

// $email is invalid because LocalName is bad 
echo 'Your email address is invalid.<br / >'; 

$output_form = 'yes'; 

} 

else { 

// Strip out everything but the domain from the email 

$domain = preg_replace(' 1 , 

// Now check if $domain is registered 

if ( ) { 

echo * Your email address is invalid. <br / >'; 

$output_form = 'yes ’； 
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exercise solution 



Below is new PHP code to validate users’ email addresses, but some pieces have disappeared. 
Fill in the blanks to get the code up and running. 


Ouv V-CJC% -fov* 七 he povtio^ o 

by \ email address, 'm by \ at symbol. 

if (!preg_match(' [a - M - zo - mzo -\ 一 &!? 二 #] 鱗，》 


$email)) 


// $email is invalid because LocalName is bad 


echo 'Your email address is invalid.<br / > 
$output form = 'yes'; 


To 切 ou 七払 c UtalNamc ay.a a-t 
sM 〒以 Y 如如吶 U 
as-tv^c 七 ’m3. 


A 


else { 

// Strip out everything but the domain from the email 
$domain = preg—replace (’ /’[a - _ 一 ^ ^ 一 ?]^ 一，、 . 一 \ 一 &,? 二 #] 决 @/ ▼ , ” ， femdil 

// Now check if $domain is registered y* 

if ( !dhcdkd 价 〆 fdoW— … ){ pcv-fovm *tV^c 


); 



echo 1 Your email 'address is invalid. <br / > 



or\ 


七 he fcw3»l value. 


$output 一 form = 

} \ I^Ctkd^\r\r() \rcWv>s *bruC 4 

} 払 c domam \s^*t yrc^sWcd. 


It you V*c Oh B iMhdowS SCV*VCV", 
-Po\rgct -to ih^ludc the 
Code \oy wih dhc^kdhSV-v-O. 
thch ddll i-t hc\rc. 


BULLET POINTS - 

■ preg_match () locates matches for 
patterns in strings. 

■ preg—replace () changes matching 
strings. 

■ Quantifiers allow you to control how many 
times a character or set of characters can 
appear in a row. 


■ You can specify a set of characters to allow in 
your pattern using a character class. 

■ In your pattern, \d, \w, and \s are stand- 
ins for digits, alphanumeric characters, and 
whitespace, respectively. 

■ checkdnsrr () checks the validity of 
domain names. 
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regular expressions 



Tesr DriVq 


Add email validation to the Risky Jobs Registration script. 

Use the code on the facing page to add email validation to the registration . php 
script. Then upload the script to your web server, and open it in a web browser. Try 
submitting an invalid email address, and notice how the new regular expression code 
rejects the form submission, and displays an error message to explain what happeened. 


Thafs it, I filled my quota 
of risky jobs. Nothing to 
do now but add up all the 
money I just made. 


^ o o 






L ^ to gc firtf 

Risky Jobs ■ Registration 

Yom emaB addrw* fe Invalid 
風吨也 r with Tti 私娜 ， —_ X 嘯 . 咖 脈 




J 



tmai ]： 


ilKUJ: 

HScRV 

amc'. 

ChumW^y 


rlEtW fJC€flS- 

i- 

5，^S - V'lli- H J •抑 




C\r\ro\r message poihts 
out -that the usev-s 
address is ihvalid 
(ii has a spade instead 
o-f ah & symbol). 


0 

o 




Paacc your rciiinK hew: 



IVith the help validation ih the 

尺 isky Jobs Rcgistv-atioh • •仏 

ho lohgeir a problem gcUihg m Wh 

^ P 一 si 〜。 b ^d\daics, ahd 

士 ill’m 3 job opchihgs m Ytto^rd 
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php & mysql toolbox 



Your ?W MySQL Toolbox 

Looking for patterns in text can 
be very handy when it comes to 
validating data entered by the user into 
web forms. Here are some of the PHP 
techniques used to validate data with the 
help of regular expressions: 


Regular exp\ressioh 

Rules that aire used -to matdh 
pattc\rhS of ie%i *, h s-tirihgs. PHP 
ihdudcs ^^iohS ihai allow you 
USC 代 3 山 ' r expircssiohs {jo dhcdk 

a 如 h 3 ‘ a dev-bih patteirh, as 
as + ,h d-ahd-.\rcpU^ pattev-hs 
七 withih a stvihg. 

preg—match() 

TW,s PHP ww a 


\d, \w, \Sf $' • • • 

(^c^ulav t^tssxo^s av-c seated 

us •，吒 

州_七 W 七 t^rtss^s^cM as 
iWtt ^mcr*»6 (\d\d\d) or 

>wWi*tcs\>a6c (\ 如 ). 


Cha^adcr dlass 

A seK vulcs 4\r matdhihg a 

S,h 3^ withih a vegulav 

cxpvcssioh. Fov example, - D] 

the dhava<itcvs A, B, C, 

OV p. 


1:: 以 £ 二， 

ov false 4 於 0 七， 


Preg_replace () 

Usdhis PHP Wtioh -to vepla^ 

a subs ^ ih 9 withih a 如吒 based 
a 1 ul 扣 C^plrcssioh. The 
Wtioh do« a *Pihd 一洳 “ 吓 la “ 

广 3 a ^9ul^ exp^cssioh 4v the 

+ _ h “ d with a stHha 

you provide it 


checkdnserr() 

TWls PHP t^tcVs a domam 

-to see ^ ^ a^allv 
TWis is vaMa 七 

email address b^ausc 70U _ 七 to 

make sure -t^a-t *tV>c domam \>art 
email *»s real- 
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11 Visualising your ckita... and more! 


♦ ♦ 

Drawing dynamic graphics 



Sure, we all know the power of a good query and a bunch of 

juicy results. But query results don’t always speak for themselves. Sometimes 
it’s helpful to cast data in a different light, a more visual light. PHP makes it possible 
to provide a graphical representation of database data: pie charts, bar charts, 
Venn diagrams, Rorschach art, you name it. Anything to help users get a grip on the 
data flowing through your application is game. But not all worthwhile graphics in PHP 
applications originate in your database. For example, did you know it’s possible to 
thwart form-filling spam bots with dynamically generated images? 


this is a new chapter 
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attack of the spambots! 


ftuitar Wars Reloaded: Rise of the Machines 


The future is now. Robots have already been let loose in the virtual world and 
there isn’t much to stop them other than some PHP coding vigilance. The robots 
are spam bots ， which troll the Web for input forms that allow them to inject 
advertisements. These robots are chillingly efficient and care nothing about the 
intended usage of the forms they attack. Their one and only goal is to overrun 
your content with theirs in a bloodthirsty conquest of ad revenue for their masters. 
Sadly, the Guitar Wars high score application has fallen prey to the bots. 


All wet iorms are 
at risk oi attack 
from spam tots. 



舰麟爵麵 f 驗 赢賊 


iey Central 


if S - Add Vaur Hi^h Seore 

Guitar Wars - Add Your High Score 

二 t 一 

二，一 

Head Last Labs 


m 


Spam bots excel at mindless repetition, in this case 
filling out and submitting form after form of Guitar Wars 
high score data that really contains ads instead of scores. 
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visualizing your data... and more! 


No input form is safe 

Fortunately for Guitar Wars, the spam bot attacks remain invisible to the end 
user thanks to the human moderation feature that was added back in Chapter 
6. However, the human moderator is now being completely overwhelmed by 
the huge volume of spam bot posts, making it tough to sift through and approve 
legitimate high scores. Human moderation is a great feature, but humans are at 
a disadvantage when facing an automated adversary that never gets tired. 





CUiC^r WiTS * Hi 


Guitar Wars - High Scores Administration 


This is ridiculous. I can’t 
possibly moderate all 
these posts, most of which 
appear to be bogus. I don’t 
even know what a f rowney is! 








mit ⑽灿卿 

^^2% HJ5 ： i5 WWW RcmtW 咖 


_ 狐 213 w ■也 -- 

wwwi^wrwyrtriLra xnm ■ ^ ^ ^ 柳脚 ㈣ Sjc 刪 ^ 吻 ㈣ 

W vwirci^w!.ctiiiraUom 尥 n 嚆加 柳 EiEMES^ 

- w 靜 JiiyidlirJUJwjrnnn ^ j Rb 咖如 . ApprJ^ 

抓 wiimdfc^^wo ^^.23 U ^；20 W999m 

:; rr= 侧 — 


Human moderation of high score posts clearly isn’t enough. We really need a 
way to prevent robots from being able to submit scores — head them off at the 
pass, so to speak. But this involves somehow discerning between an automated 
piece of software and a human with a real brain... a tricky problem, but one that 
can be solved. 


0u\r -fearless ^ui-b\r 
modcv-aW has 
•Pouhd himsd-P ih a losihA 
battle with bots that 

hCV ^ o( postihg 
bogus spam sdov-cs. 


Write down three questions you would ask to distinguish 


between a real human and the artificial brain of a robot: 


you are here ► 
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guitar wars: for humans only 


Wc need to separate mm from machine 


In order to figure out how to detect a real human on the other side of the Guitar 
Wars Add Score page, you have to first assess what exactly a spam bot is doing 
when filling out the form with bogus data. 



Its hotliihg -Pov- a spar^ bot 
-to vcpcatcdly blast 

Wi-th daia tchs, 

thousands o-p times … yikcs/ 


科 n n Ctfny itfarji ■ ^44 Ywpr mgti Scarf 


Guitar Wars ■ Add Your Hifth Heme 


Sl：iHK •> ㈣ 的 VFIM 

Screen shot ( f*iO 魯咖 



TV^c ^ui*tav- lA/av-s 
ddidbdse is bc'mj 
m^daied witV) bojus 
Wi# stores because *bV)C 
sf>dm bo*U 3v-c abus'mj 
i\\t Add Stov-c -form. 


Tke Actct Score iorm 
needs a new iield 
tkat requires kuman 
verification teiore 
allowing a kigk score 
to te sutmittect. 


"flic Add Sdo\rc 

*Po\rrn *to 

dis-fcihguisli bctwcch a 
v*c3l liumah post ahd ah 
au-tomated \robo-tid post. 

The problem with the Add Score form is that it does nothing to prevent 
automated submissions, meaning that any reasonably crafty bot programmer 
can create a bot that repeatedly fills the form with ad data and submits it. 

Sure, it never makes it to the front page of the Guitar Wars site thanks to the 
moderation feature, but it in many ways renders moderation useless because the 
human moderator is left manually removing hundreds of bogus ad posts. 

The form needs a new verification field that must be entered successfully in 
order for the score to submit. And the specific verification of this field needs to 
be something that is easy for a real human but difficult for a machine. 
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visualizing your data... and more! 


M 




Following are some ideas for form fields that could potentially be used to prevent spam bots 
from submitting forms. Circle the form fields you think would simply and successfully allow 
only human form submissions, making sure to annotate why. 


Are you a robot? Q Yes Q No 


What was Elvis’ favorite food? 


Retinal scan: Look into your web cam and click 


Enter the letters displayed: 


kdyqmc 


What is the result of 7 + 5? 


What kind of animal is this? 



Enter the letters displayed: 



Thumbprint scan: Press your thumb down and click 


you are here ► 
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exercise solution 




Following are some ideas for form fields that could potentially be used to prevent spam bots 
from submitting forms. Circle the form fields you think would simply and successfully allow only 
human form submissions, making sure to annotate why. 

Dc-f i^i-(：cly di-f-Pidul't -Pov* \robo*ts but 


BceRctSe 

SoLytiOH 

Too easy to ^ucss - eve” " 

jus*t a ^0% suttess Are 
v-a*tc *t^v-ou^ 5 uCSSm 3 , 

tv\d u^> a *to^ 

W 吵 stov-c pos*b. 

What was Elvis’ favorite food? 


Are you a robot? O Yes Q No 


voud tv\d 
o\ bo^us 


potch-tially di-f^idul-t -fov some humd^s 
as well. Hoi cvcv-yo^c knows Blvis loved 
peanui bu-ttev- av\d ba^^a sa^dwidhes. 
This would also v-c^ui\rc a hc-Piy database 
o( iv-ivia ^ucsiio^s 扣 d 如 swevs. 


"。七 bdd ， dssumih^ 七 he 
pass-phrase letters dffeav- as 

如 image and hot but 

fo-tch-tially lUav-tcd by bob 
sr^lrt Chough -fco use opiidal 

^ha\ra^-( ： c\r \rcdoghi-tioh (OCR). 


Retinal scan: 


Look into your web cam and click 




V 


Enter the letters displayed: 



E% 匕 ell ⑼七 bo 七 
s*toppcv- but 

dy\d *to 

implement 



Simple a^d c-f-fcd-tivc, mos-t bo-ts 
av ■⑶七 sma\rt chough io pav-sc 
ma-thcrwaii^al expressions — Ids 
just hope mos-t humdrts avc/ 


What kind of animal is this? 




Rcw»cw\bcv" 

doj *tV^a*t was 
abduced by albs 

cavlicv- *m "bKc book? 


PcdcptWcly cWcttivc - bots stvu^lc 
a 七 mtcvpvctm^ 60 灼七 ⑼七 of images. 

Bu*t i*t does v-c^uivc a da*tabasc c^f 

imd^cs ar\d a 扒 sy/€VS. 



Enter the letters displayed: 

Hoi <^uitc as mudh 
iv-oublc as \rctmal 
but s-ti|| 

\rc«\ui\rcs special Thumbprint scan: 

Ii3vdv/a\rc drtdi so^tv/airc- 




A ^i-r-ty irwpvovcrwch-t 

ov\ the othev- 
pass-ph\rasc vc\ri-picv- 
the Icttcv-s av-c 
obsduved with I'mes 
dhtJ dots -fco doh-Pusc 

bo-ts with OCR, 


Press your thumb down and click 
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visualizing your data... and more! 


Wc caw defeat automation with automation 


A test to verify that the entity on the other side of a form is a real person is 
known as CAPTCHA, which stands for Completely Automated Public Turing 
Test to Tell Computers and Humans Apart. That’s a long-winded way of 
referring to any “test” on a form that is ideally passable only by a human. Lots 
of interesting GAPTGHAs have been devised, but one of the most enduring 
involves generating a random pass-phrase that the user must enter. To help 
prevent craftier bots with optical character recognition (OCR) from beating the 
system, the pass-phrase letters are distorted or partially obscured with random 
lines and dots. 

Smtc letters m i\\t pass - \>Wasc 
yd^domly ?^asc *»s MW ⑼七 

cvev-y *tKc -fov-m is displayed- 、 


A CAPTCHA is 

a program tkat 
protects a wet site 
Irom automatect 
tots ty using a 
test ol some sort. 


Enter the letters displayed: 


A v\ovmdl -f ield used 

-to alloy/ usev bo cr>*tcv 

tKc CAPTCHA pass-pKvasc. 



A CAPTCHA form field is just like any other form field except that its 
whole purpose is to prevent a form from being submitted unless the 
CAPTCHA test has been successfully completed. So unlike other form 
fields, which typically pass along data to the server upon submission, a 
CAPTCHA field is verified and used to control the submission process. 


|i hCS ah d dots help 铋 oku 代 
七 4 text jus-t Chough io ihv/3^i 

乩脱七饮 while 
此 " -to disWh it. 


s^3w\ loot 七 
make ou*b pass-piiv-asc^^ 
all \i tav\ do is jucss. ^ 



Fail! 


Enter the letters displayed: 

Idch-ti-fymg -the 
pass—phvasc su^dcss-fully 
is easy (or a v-cal hurrah. 

Enter the letters displayed: 




qwerty? 






Pass! 


owdysq 



It’s very important for the CAPTCHA pass-phrase to be displayed on 
the form as an image and not just text; otherwise bots would have a 
much easier time figuring out the text. 


you are here ► 
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no dumb quesf/ons: captcha edition 


D 


thereiare 

)umo ( 



esti9ns 


That image CAPTCHA with the dog is really cool. Could I 
use that instead of a pass-phrase CAPTCHA? 


A 


Absolutely. Just keep in mind that you'll need to maintain a 
database of images and descriptions of what they are, because one 
of the keys to any successful CAPTCHA is variety. A good CAPTCHA 
should have a deep enough repository of content that a form rarely 
displays the same test twice. That’s the benefit of pass-phrase 
CAPTCHA: since the pass-phrase is generated from random letters, 
it’s very unlikely the exact same test will appear twice to any given 
user, even with lots of repeated attempts. 

How does CAPTCHA impact the visually impaired? What if 
they can’t pass a visual CAPTCHA test? 

Visual CAPTCHAs aren’t the best answer for users who are 
visually impaired. An ideal CAPTCHA solution might involve an audio 
alternative to visual CAPTCHAs. For example, there is an audio 
CAPTCHA where a series of numbers are read aloud, after which the 
user must enter them to pass the test. But the same problem exists, 
where crafty bots use voice recognition to defeat such CAPTCHAs, 
which is why some of them use highly distorted audio that sounds a 
little creepy. Audio CAPTCHAs are similar technically to image 


CAPTCHAs in that they require a database of audio clips and 
their respective answers. There are services that offer flexible 
CAPTCHAs that utilize both image and audio CAPTCHAs, such as 
www.captcha.net. Such services are excellent in terms of offering the 
latest in CAPTCHA technology, but they typically don’t integrate quite 
as seamlessly as a custom CAPTCHA that is tailored specifically to 
your web application. 

But there are also people who have poor eyesight and are 
also hearing impaired. What about them? 

Ultimately, CAPTCHA is all about weighing the reward of 
thwarting spam bots against the risk of alienating some users. Similar 
to viruses and anti-virus software, spam bots and CAPTCHAs 
will likely continue to play a cat and mouse game where bots are 
created to defeat a certain CAPTCHA, requiring a more sophisticated 
CAPTCHA, and on and on. Caught in the crossfire are users who 
may be left out due to the limited accessibility of some CAPTCHAs. 
It's up to the individual web developer to weigh the risks of a bot 
attack against the potential loss of users who may not be able 
to access parts of the site protected by CAPTCHA. If it’s any 
consolation, keep in mind that the most sophisticated bots typically 
aim for large targets with huge ad revenue upside, meaning that you 
may not encounter a truly evil bot until your site grows to the point of 
being a big enough target for high-powered bots. 


OK t so a CAPTCHA pass-phrase has to 
be displayed as an image with random 
lines and dots. Thafs fine, but how in the 
world can that be created with PHP? PHP 
can only generate HTML code, right? 



PHP has graphics capabilities that can dynamically 
generate images you can then display using HTML code. 

With the help of a graphics library called GD (Graphics Draw), our PHP scripts 
can dynamically generate images in popular formats such as GIF, JPEG, and PNG, 
and either return them to a web browser for display or write them to a file on the 
server. This capability of PHP is extremely important because there is no notion 
of being able to “draw” on a web page purely through HTML. PHP allows you to 
‘draw，’ on a portion of a page by performing graphics operations on an image, and 
then displaying that image on the page using the familiar <img> tag. 



visualizing your data... and more! 


ftewcratG the CAPTCHA pass-phrase text 

Before we can even think about the graphical side of a pass-phrase CAPTCHA, 
we need to figure out how to generate the random pass-phrase itself, which 
begins as a sequence of text characters. A pass-phrase can be any number of 
characters, but somewhere in the range of six to eight characters is usually 
sufficient. We can use a constant for the pass-phrase length, which allows us to 
easily change the number of pass-phrase characters later if need be. 


define('CAPTCHA—NUMCHARS', 


6)； 


A CAPTCttA ? ass 令 asc s 〜 
\o^ »s ^okakly 

-to stop ko-b 



So how exactly do we go about generating a random string of text that is 
six characters long? This is where two built-in PHP functions enter the story: 
rand () and chr () . The rand () function returns a random number in the 
range specified by its two arguments, while chr () converts a numeric ASCII 
character code into an an actual character. ASCII (American Standard Code 
for Information Interchange) is a standard character encoding that represents 
characters as numbers. We only need ASCII character codes in the range 97- 
122, which map to the lowercase letters a-z. If we generate a code in this range 
six times, we’ll get a random six-character pass-phrase of lowercase letters. 



$pass^phrase 


// Generate the random pass-phrase 
$pass_phrase =""; 

for ($i = 0; $i < CAPTCHA—NUMCHARS; 
$pass_phrase .= chr(rand (91 r 122)) 

} 




This Code will eventually 
9° … "to its ovm \reusdblc 
script -file, 


rand() 

This built-in function returns a random integer 
number, either within a specified range or between 
0 and the built-in constant RAND—MAX (server 
dependent). To obtain a random number within a 
certain range, just pass the lower and upper limits 
of the range as two arguments to rand (). 


or\cc -ro 1 
ih 

$i++) { 

r 

TV^c pass-pWasc is 
doy\s*tv-iAd*tcd ov\t random 

a*t a 

chr () 

This built-in function converts a number to its ASCII 
character equivalent. As an example, the number 97 
is the ASCII code for the lowercase letter ， a ， . So 
calling chr (97) returns the single character ， a '. 


Tke ranJO iunction 
returns a random integer 
witkin a certain range. 


you are here ► 
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drawing a captcha 


Visualizing the CAPTCHA image 


With the random pass-phrase nailed down, we can move on to generating an 
image consisting of the pass-phrase text along with random lines and dots to 
help obscure the text from bots. But where to start? The first thing to do is 
decide what size the CAPTCHA image should be. Knowing that this image 
will be displayed on a form next to an input field, it makes sense to keep it fairly 
small. Let’s go with 100x25, and let’s put these values in constants so that the 
image size is set in one place, and therefore easy to change later if necessary. 

TiiC sizjC o-f CAPTCttA ,s 

define (' CAPTCHA—WIDTH ， ， 100) ; m doy , s ta^ bo make i 七 casicv 

define 「 CAPTCHA—HEIGHT ▼ , 25) ; ^ ^ Sl ^ la 七饮』如••代 d . 

Drawing the CAPTCHA image involves calling several functions in the GD 
library, all of which operate on an image in memory. In other words, you create 
an image in memory, then you draw on it, and then when you’re all finished, 
you output it to the browser so that it can be displayed. 

// Create the image 

$img = imagecreatetruecolor(CAPTCHA WIDTH, CAPTCHA HEIGHT); 


Drawing a ctynamic 
image in PUP 
requires usingf GD 
litrary functions. 


// Set a white background with black text and gray graphics 
$bg_color = imagecolorallocate($img, 255, 255, 255); 
$text_color = imagecolorallocate($img, 0, 0, 0); 


$graphic color = imagecolorallocate($img, 64, 64, 64) 


// white 
// black 
// dark gray 


TVis todt Beales dolovs 
■to be used by the othev- 

今 D -PuhdtiohS. 


// Fill the background 

imagefilledrectangle($img, 0, 0, CAPTCHA—WIDTH, CAPTCHA—HEIGHT, $bg_color); 

// Draw some random lines 
for ($i = 0; $i < 5; $i++) { 

imageline($img, 0, rand() % CAPTCHA—HEIGHT, CAPTCHA—WIDTH, 

rand() % CAPTCHA HEIGHT, $graphic color); 


// Sprinkle in some random dots 
for ($i = 0; $i < 50; $i++) { 

imagesetpixel($img, rand() % CAPTCHA—WIDTH, 

rand() % CAPTCHA—HEIGHT, $graphic_color); 

} 


// Draw the pass-phrase string 

imagettftext($img, 18, 0, 5 , CAPTCHA—HEIGHT - 5, $text_color, 
'Courier New Bold.ttf ', $pass_phrase); 


// Output the image as a PNG using a header 


header("Content-type : image/png"); 
imagepng($img); 
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visualizing your data... and more! 


Wwly Scaled images siav-t M 
with a blahk bla^k badkyouhd. 
Say that thv-cc h mes v-cally 
心士 u blahk bladk bWyouW 


We v\ttd a v/lVrtc 
广 ba^kyour\d bo dv-a>w *tV^c 
^ CAPTCHA yra^cs o„. 


B\rst d\raw some 
V^hdorn lihes. 



\ 


\ 




^dd'm some var^dom 
do*U -fov sorwC 
add'ii'io^al w *tc%*tuvc. J 





Dv-aw the text ih a 

da\rkc\r to\oY ovcv* -the 
Imes av\d dots. 



Or\dc 七 he bvov/sev v-ctcivcs {\\t 
ima^c, \i ^ display \i us ’， 
d y\o\rmdl HT/VIL- 










F'mally> rth^Y\ 七 he 
imd^C dS d PN^ -to 
七 he b\ro>wsc\r. 




Client web 
browser 


you are here ► 
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gd graphics functions 


Inside the ftp graphics functions 


The magic behind GAPTGHA image creation is made possible by the GD 
graphics library, which you’ve already learned offers functions for dynamically 
drawing graphics to an image using PHP code. Let’s examine some of these 
functions in more detail as they relate to generating a GAPTGHA image. 


imagecreatetruecolor() 

This function creates a blank image in 
memory ready to be drawn to with other 
GD functions. The two arguments to 
imagecreatetruecolor () are the width 
and height of the image. The image starts out 
solid black, so you’ll typically want to fill it 
with a background color, such as white, before 
drawing anything. You can do this by calling the 
imagef illedrectangle () function. The 
return value of imagecreatetruecolor () 
is an image identifier, which is required as 
the first argument of most GD functions to 
identify the image being drawn. 




width 


-► 



Kcw images av-c 
•mitdly Crtaicd with 
bladk bddk^vouhds. 

▲ 


height 


t 


TKc 


The height 
the 


TKc v-C-tuv-hS an 

七 ha 七 is 、 

by oi\\tr dray/'m^ 

WW *to anally 
OY\ 七 he irway* 


$img 






imagecreatetruecolor(CAPTCHA 一 WIDTH, CAPTCHA 一 HEIGHT); 

t . _ _ 

丁 his toAt ^\rcatcs av\ image that is 

\OOy 2 ^ ih tholhks -to ouv- ^ohsbhts. 


Red ： (i%, 0, 0). 


Medium g\TCCh-* (O, IZG, 0). 


Blue ： (o, 0 , 


The \rctu\rh value is a Co\ov 
idchti-Pic\r that you dah use T 
ih 0 仏饮 W-tiohs-to ^ 

^Ohtirol the CoW bcihg used； sudh 

as the ^oloir o-f CAPTCHA text 


imagecolorallocate() 

Use this function to allocate a color for use in 
other drawing functions. The first argument is 
the image resource identifier, followed by three 
arguments representing the three numeric 
components of the RGB (Red-Green-Blue) color 
value. Each of these values is in the range 0—255. 
The return value is a color identifier that 
can be used to specify a color in other drawing 
functions, often as the last argument. 

$text color = imagecolorallocate($img, 0, 0, 0); 

The ^ Way ^ 2 : 二 rSfX 

i\,t Co\or ^.11 be used m this case blad. 
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visualizing your data... and more! 


imagesetpixel() 

This function draws a single pixel at a specified 
coordinate within the image. Coordinates start 
at 0,0 in the upper left corner of the image, and 
increase to the right and down. Like most GD 
functions, the pixel is drawn using the color that 
is passed as the last argument to the function. 


0,0 



T\\t toovd'ma*tc system -fov 
mos 七今 D ealU stavts 

•m i\\t uf f 饮一七 CoYY\tr 
七 k imd^e d^d mtvcascs d 娜 

By\A vi ☆ 七 . 


width,height 


imagesetpixel($img, rand() 

"The fidch"ti-pic\r) 

the pixel is beih0 
d\r3wh oh. 


% CAPTCHA WIDTH, rand() % CAPTCHA HEIGHT, $graphic color) 


TV^c )<V toovd'ma-tc tiic 代 latwe 

•to uffev -七 ^ov-r\CV- <Jc tiic imay ， 

y/KidV^ m dasc cr^ds up d rav\Ao^ 

lota*bio\r\ v/rtiVm CAPTCttA 


/ 


The to\o>r (idchti-ficv) 

o-P the pixel. 


imageline() 



Gall this function to draw a line between two coordinates (xl,yl and x2,y2). 
The coordinates are specified relative to the upper-left corner of the image, 
and the line is drawn in the color passed as the last argument to the function. 

The ></ CooY&^it o( -the s-ta\rt o( -the \\v\c, -this 

ease alo^j -the Ic-P-t cdjc o( -the CAPTCWh image. 



imageline ($img, 0, rand() % CAPTCHA 一 HEIGHT, 

CAPTCHA WIDTH, rand() % CAPTCHA HEIGHT, $graphic color); 



The pom 七 。* P 七 he I me ； whidh heve lies 

-the cdjc -the CAPTCttA •• 州 ay. 


imagerectangle() 

Draw a rectangle starting at one point (x^y^ and ending at 
another point (x 2 ,y 2 ), in a certain specified color. The two points 
and the color are provided as the second through sixth arguments 
of the function, following the image identifier argument. 


x i»Yi 



x 2 ,y 2 


T\\t imayvc^^lcO x 

-fuir\£.*tioir\ "bakes 七 he 
same 

as 'imay-fillcdvc^-ta^lcO. 



x 2 ,y 2 


imagefilledrectangle() 

Similar to imagerectangle (), this function 
draws a rectangle whose interior is filled with the 
specified color. 


imagefilledrectangle ($img, 0, 0, CAPTCHA WIDTH, CAPTCHA HEIGHT, $bg color); 



The X/ ^oo\rd*matcs o-P -the 

扣 d tt\A poijvts — hcv-c i*t 

^ills the c^tiv-c CAPTCHA ir ， d 3 e. 


you are here 
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gd graphics functions: part deux 


The ftl? graphics functions continued... 


imageellipse() 

For drawing circles and ellipses, this function 
accepts a center point and a width and height. 

A perfect circle is just an ellipse with an equal 
width and height. The color of the ellipse/circle 
is passed as the last argument to the function. 


Ellipses avc^*t used 

•m 如 CAPTCIJA 

but vc 

still 


-#■ 


width 


-► 



height 


◄- 


width 




c 


，y 



height 


imagefilledellipse() 

Need a filled ellipse instead? Just call 
imagefilledellipse (), which works 
the same as imageellipse () except the 
specified color is used to fill the ellipse instead of 
outline it. 


一 imagefilledellipse($img, 0, 0, 320, 240, $color); 

,,, . nc ar>a J 如 / 匕。 W—te 

七 he saw airgumchts. ellifsd 七栎仪如 saw ^ 如七饮 

-to dv-av/ a pcv-fcd*t e ellipsis. 


Both irhagcdlipscO ahd 
i^gc-PillcdcHipscO "take 




imagepng() 

When you’re all finished drawing to an image, 
you can output it directly to the client web 
browser or to a file on the server by calling 
this function. Either way, the end result is an 
image that can be used with the HTML <img> 
tag for display on a web page. If you elect to 
generate a PNG image directly to memory 
(i.e.，no filename), then you must also call the 
header () function to have it delivered to the 
browser via a header. 


/U irwage t^y\ be output 
dnrc^tly -fco the bv-ov/sev- oy -fco 
-Pile Oh the scv-vcv. 






myimage.png 


The \rctuV*K>s 

i'ruc o\r -false dependmg 
oy \ v/hethev- -the " 

was suddcss-Pully dv-caicd. 


you vc bccr> us'm^ m 

f dva … (\AV\tk\OY\S. 

imagepng($img); 


1 



ou dan pass a filch 如 c 舡 optional 
sedohd amgurwCh-t - without it, the 
gchcratcs ah in«agc ih rhCrno\ry that tay\ be 
passed ba^k -to the bv-owsev- \y\ a header. 
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visualizing your data... and more! 


Text d\r^Wh with 
irwages-tirihgupO is Yoi^itd °{0 
degrees douh-tc\r-^lodkwisc so 
that it 3ppc3v*s vcv-ti^ally. 


imagestringup() 

Similar to imagestring (), this function 
draws a string of text using the built-in font, 
but it draws the text vertically, as if it were 
rotated 90 degrees counterclockwise. The 
function is called with the same arguments as 
imagestring(). 


Cluf a-ftev- youv I 州 ays is 

a ^ood *»dca bo keep server 

-pv'ow' Y/ 3 s*biir\^ vcsouV'dcs 
VouVc -f mislicd with 



imagedestroy() 

It takes system resources to work with images 
using the GD library, and this function takes care 
of cleaning up when you’re finished working 
with an image. Just call it after you output the 
image with imagepng () to clean up. 


Similar -to this 

•fuh^-tioh \rctu\rhS "bruc 
suddess, o\r -false o*thc\rwisc- 


imagedestroy ($img); 

A 


idch-ti-Pic\r <^P -the 
you waht "fco dcs-tv-oy. 


Always free up images in 
memory witk imagectestroyO 
once you’ve output tkem. 


imagestring() 

This function draws a string of text using PHP’s 
built-in font in the color specified. In addition 
to the image resource identifier, you pass the 
function the size of the font as a number (1-5), 
along with the coordinate of the upper left corner 
of the string, the string itself, and then the color. 


T\\t s'i« o-f 
sbr\^ t m i\\t ra 呼 I *to 弓 . 

imagestring($img, 3, 75, 75, 'Sample text 


Always up a dal I 

•fco -tins W\{\\ cadK 

i\\ai you ertait so 
all images av-c des-tvoyed- 


x,y 



A ^urwbc\r ih the rav\^t U 

sets "the siz^ of "the -Poht used 
■to d\raw the s-t\rmg o-p ic^i, 
with 5 bcihg the largest siz^c. 


Sample text 


The bu“ 七 -… adequate 
-fov basi 乙七 wt dv-av/m^ bu 七 is 
IWrted m *tcv"ms i*ts siz^. 


TKc y}/ doovdma*tc ^ 
of *tKc uppcv--lc-ft 
dovr^cv- o-r s*tv*m^. 


This is s-tvihg of 
■(: *to be dv*3wh. 


$color); 

T\\t tolov- c^f 

七 he 七 e 此 


-PX CD 4 - 33 rH 皆 flls 



,y 

X ， 
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the imagettftxtQ function 


Prawiwg text with a fowt 


The imagestring () function is easy to use for drawing but it’s fairly limited 
in terms of the control you have over the appearance of the text. To really get 
a specific look, you need to use a TrueType font of your own. The GAPTGHA 
pass-phrase image is a good example of this need, since the characters must 
be drawn fairly large and ideally in a bold font. To get such a custom look, 
you need the help of one last GD graphics function, which draws text using a 
TrueType font that you provide on the server. 


imagettftext() 

For drawing truly customized text, place a TrueType font file on 
your web server and then call this function. Not only do you get to 
use any font of your choosing, but you also get more flexibility in the 
size of the font and even the angle at which the text is drawn. Unlike 
imagestring (), the coordinate passed to this function specifies 
the “basepoint” of the first character in the text, which is roughly the 
lower-left corner of the first character. 

This function does require you to place a TrueType font file on your 
server, and then specify this file as the last argument. TrueType font 
files typically have a file extension of . ttf. 


C.us*tomiZjcd 

a TvucTyfc ^ov\i 

七 he I 啪 ayttf 七 



x,y Sample text 

r 

、 Uhlikc imagcsVmgO, -the 
^oo\rdihatc used -to dv-aw text 
with irwa^c-tt-p-tcxto is at the 

lowcv—lc-lrt ^o\rhC\r of the text 


TV^C s'iz^ of " 

usually spc6-ficd ^ w po*»ir\*ts. 


The of the 4 >此 
Spc^i-Picd ih douh-tc\r-dlo^kwisc 
dcgvccs (O is hovruoll tex-t). 





TV^c )<V doovd*ma*tc 

o-f lowcv- 




imagettftext($img, 18, 0, 5, CAPTCHA 一 HEIGHT - 5, $text—color, 

' C ° Urier NeW Bold . ttf ' ' $pass^>hrale) ; Tk ^ ^ ^ ^ 


You must fladc TvucTyfc 《。灼七 
ov\ youv v/cb scv"vcv so 七七七 
^dfiiids libvav"Y £. 3 ^ -fmd it 




6 ee} BifS 


Courier New Bold.ttf 


If you'd like to take a stab at creating your very 
own TrueType font to further customize your 
CAPTCHA, check out www.fontstruct.com. It's 
an online font-building community including a 
web-based tool for creating custom fonts. 


Use tke imagettltextO 
function to draw kigltly 
customized text witk your 
own TrueType iont. 
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visualizing your data... and more! 

+ 

AT ， - 

inr^Molo 以 lIloQWf'ir^ IZG, IZG, IZG )； 




Match each piece of PHP graphics drawing code to the graphical 
image that it generates. Assume the image ($img) and colors 
($black_color, Swhite color, and $gray—color) have 
already been created. 


i^agcdolov-allodatcffirh^ 0, 0, o )； ima^cdolovallodaicffiw'^ 上 ％’ 上弓弓 ); 



imagefilledrectangle($img, 10, 10, 90, 90, $gray_color); 
imagefilledellipse($img, 50, 50, 60, 60, $white_color); 
imagefilledrectangle($img, 40, 40, 60, 60, $black_color); 



imageline($img. 

15, 

15, 

50, 

50, 

$black 

color); 

imageline($img. 

15, 

85, 

50, 

50, 

$black 

color); 

imageline($img. 

50, 

50, 

85, 

50, 

$black 

color); 


imagefilledellipse($img. 

15, 

15, 

20, 

20, 

$gray 

color); 

imagefilledellipse($img. 

15, 

85, 

20, 

20, 

$gray 

color); 

imagefilledellipse($img. 

50, 

50, 

20, 

20, 

$gray 

color); 

imagefilledellipse($img. 

85, 

50, 

20, 

20, 

$gray 

color); 



imagefilledrectangle($img, 10, 10, 90, 60, $gray_color); 
imagesetpixel($img, 30, 25, $black_color); 
imagesetpixel($img, 70, 25, $black_color); 
imageline($img, 35, 45, 65, 45, $black_color); 
imagefilledrectangle($img, 45, 50, 55, 90, $gray_color); 


imageellipse($img, 45, 45, 
imagefilledellipse($img, 7 5 
imagesetpixel($img, 10, 10, 
imagesetpixel($img, 80, 15, 
imagesetpixel($img, 20, 15, 
imagesetpixel($img, 90, 60, 
imagesetpixel($img, 20, 80, 
imagesetpixel($img, 45, 90, 


70, 70, $black_color); 

, 75, 30, 30, $gray_color); 
$black_color); 

$black_color); 

$black_color); 

$black_color); 

$black_color); 

$black_color); 


H 



imagefilledrectangle($img, 25, 35, 75, 90, $black_color); 
imageline($img, 10, 50, 50, 10, $black_color); 
imageline($img, 50, 10, 90, 50, $black_color); 
imagefilledrectangle($img, 45, 65, 55, 90, $white_color); 
imageline($img, 0, 90, 100, 90, $black_color); 
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who draws what solution 








vvm 






Match each piece of PHP graphics drawing code to the graphical 
image that it generates. Assume the image ($img) and colors 
($black_color, Swhite_color, and $gray_color) have 
already been created. 


imagefilledrectangle($img, 10, 10, 90, 90, $gray_color); 
imagefilledellipse($img, 50, 50, 60, 60, $white_color); 
imagefilledrectangle($img, 40, 40, 60, 60, $black color); 


imageline($img, 15, 15, 50, 50, $black_color); 
imageline($img, 15, 85, 50, 50, $black_color); 
imageline($img, 50, 50, 85, 50, $black_color); 


imagefilledellipse($img. 

15, 

15, 

20, 

20, 

$gray 

color); 

imagefilledellipse($img. 

15, 

85, 

20, 

20, 

$gray 

color); 

imagefilledellipse($img. 

50, 

50, 

20, 

20, 

$gray 

color); 

imagefilledellipse($img. 

85, 

50, 

20, 

20, 

$gray 

color); 


imagefilledrectangle($img f 10, 10, 90, 60, $gray_color); 
imagesetpixel($img, 30, 25, $black_color); 
imagesetpixel($img, 70, 25, $black_color); 
imageline($img, 35, 45, 65, 45, $black_color); 
imagefilledrectangle($img, 45, 50, 55, 90, $gray color); 


imageellipse($img, 45, 45, 70, 70, $black_color); 
imagefilledellipse($img, 75, 75, 30, 30, $gray_color); 
imagesetpixel($img, 10, 10, $black_color); 
imagesetpixel($img, 80, 15, $black_color); 
imagesetpixel($img, 20, 15, $black_color); 
imagesetpixel($img, 90, 60, $black_color); 
imagesetpixel($img, 20, 80, $black_color); 
imagesetpixel($img, 45, 90, $black_color); 


imagefilledrectangle($img, 25, 35, 75, 90, $black_color); 
imageline($img, 10, 50, 50, 10, $black_color); 
imageline($img, 50, 10, 90, 50, $black_color); 
imagefilledrectangle($img, 45, 65, 55, 90, $white_color); 
imageline($img, 0, 90, 100, 90, $black_color); 


rm an android 
not a robot. 


O 
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visualizing your data... and more! 


ftcwcrate a random CAPTCHA image 

Putting all the CAPTCHA code together results in the brand-new captcha . 
php script, which takes care of generating a random pass-phrase and then 
returning a PNG image to the browser. 


"The 乙 s£vip 七 is 
^o^plc-tcly sd-f-^ohtaihcd - you 
匕 opCh it ih you\r b\roy/sc\r 3hd 
view the irwage that it gchcvatcs. 


<?php 

session—start(); 

//Set some important CAPTCHA constants in 

define ('CAPTCHA_NUMCHARS', 6 )； 

define (-CAPTCHA_WIDTH-, 100); °f .mage 

define rCAPTCHA_HEIGHT\ 25); //height of image 

// Generate the random pass-phrase 

$pass phrase = nM ； s 

for ($"i = 0; $i < CAPTCHA 一 NUMCHARS; $i++H 

$pass—phrase • = chr(rand(97, 122)); 


// store the encrypted pass-phrase in a session variable 
$ SESSION [ ， pass—phrase'] = shal($pass_p rase , 


pass-phrase 


Create £.ov\s*tar\*ts *to \\o\A 

ytumbev <Jc diiav-a^-tc'rs m 

CAPTCHA ar^a ar^a 

*bKc CAPTCHA iw'Sjc* 


Although you Could s-fcov-c the c^^v-yptcd 
pass-phv-asc \y\ the database, i-t^s sirwplcv 

jus 七 s^idk i*t 3 session Vd\ridblc — • y/C 
have "to s-to\rc it so the Add S^ovc sdv-ipi 

C^y\ a 匕匕 ess i*t. 


（ CAPTCHA—WZDTH, CAPTCHA_HEIGHT); 

//Set a white background with black white 

$ bg color = imagecolorallocate ($ ， mg, 255 255 ^55) 

$ text color = imagecolorallocate($，mg 0 0 0) //darkgray 

$graphic_color = imagecolorallocate($!mg, 64, 64, , 

灿 g, Q, ◦, CAPTCHA.WIDTH, -PTCHA.HEIGHT, ^dor,; 

// Draw some random lines . 

%CAPTCHA_HEIGHT, CAPTCHA_WIDTH, rand() % CAPTCHA_HEIGHT, $g rap hl c_color )； 


/ / sprinkle in some random dots 

% CAPTCHA_WIDTH, rand () % CAPTCHA_HEIGHT , $g rap hl c_color); 

} 

Stc ， PTCH,_H EIG H T - 5, ㈣— 秦 ， ◦ 卿 f' ㈣ 声 ㈣ '• 

// output the image as a PNG using a header L C -:- C L X ^ 

header("Content-type : image/png n )； 
imagepng($img); 


// Clean up 

imagedestroy($img); 
?> 


6itr^cc^it a PN^ imay based 
oy\ cvcvytiim^ 七 1 ^七 has \)ttv\ 
dv*a>^m. 


TKc PN^ imay is 
adtually dclWcvcd 
*to *thc bvov/sev- 
七 hvou^> a headev*. 


Some vevsiohs of the 6ft) 
g\raphids lib\rol\ry \rc<\uiv-c a v-clativc 
path "to "the -Poh-fc -Pile, sudh ds 
VCouHcv- /s/cw Bold.UP. 


Pmish up by dcst\roymg the i^a^e 

*(Vom mcmoiry (ii still yts scht 
"to the b\rov/se\r via the hcadcv-). 


captcha.php 
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try out captcha.php 




Tesr DriVq 


Create the CAPTCHA script and try it out. 

Create a new text file named captcha . php, and enter the code for the CAPTCHA 
script from the previous page (or download the script from the Head First Labs site at 
www. headf irstlabs . com/books/hfphp). 

Upload the script to your web server, and then open it in a web browser. You’ll 
immediately see the CAPTCHA image with the random pass-phrase in the browser. 
To generate a new random pass-phrase, refresh the browser. 




E 把 h CAPTCHA gchcv-atcd 

^Ohsists o( six v-ahdom 
with some CX-t\rol lihes av\d dots 
•fov" sdded ^boi^k^vouhd 



*tV^C CAPTCHA 

v-csults m d 
v-dr\do^ \>ass-\>Wasc 
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visualizing your data... and more! 


These robots are 
making me crazy! I 
need help stopping 
them now! 



Rcturwmg sawity to ftuitar Wars 

Now that we’ve conjured up your inner PHP artist with some GD functions 
and a GAPTGHA image, it’s time to use the GAPTGHA image to rescue the 
Guitar Wars moderator from the spam bot assault. There are actually a few 
steps involved in solving the bot problem with a pass-phrase GAPTGHA. The 
good news is we’ve already knocked out two of them: generating the random 
pass-phrase and drawing the GAPTGHA image. Let’s knock out the remaining 
steps to make Guitar Wars officially bot-free! 


TKc ^u»-bav 
w^odicv-a-bov- is so 
七 ha 七 

\)CS ou*t a 七 
v-oko*U — 

Yxccds d solution y\oJ 



ass-phrass, 


Already dohe/ 

Pv-ay/m^ Completef 

❻ Draw a CAPTCHA image-wssnq the pa ss -p hras er 

❺ Display the CAPTCHA image on the Guitar Wars 
Add Score form and prompt the user to enter the 
pass-phrase. 


❹ Verify the pass-phrase against the user input. 



Complete Step 3 of the Guitar Wars Add Score CAPTCHA by writing the HTML code for a new 
Verification text input form field that prompts the user to enter the CAPTCHA pass-phrase. 

Make sure to give it a label, and follow it with an <img> tag that displays the CAPTCHA image 
generated by the captcha. php script. 


you are here ► 
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exercise solution 



Complete Step 3 of the Guitar Wars Add Score CAPTCHA by writing the HTML code for a new 
Verification text input form field that prompts the user to enter the CAPTCHA pass-phrase. 

Make sure to give it a label, and follow it with an <img> tag that displays the CAPTCHA image 
generated by the captcha. php script. 


A <labcl> *ta5 used 丁 his tex-t -field is whcv-c 

-to label r\t>N 七 he usev- will Chtcv- the 

-f ield. pass-plurasc \rcvcalcd \v\ 

/ the CAPTCHA 

<labcl </labcl> n 

_iy. 代 ”• 一 ? .O.vVlV.' mImC 运 ” ior. _ih( p. 抑 r ： p))V 於 ?: 

^1^3.bf! ?J ： t^!Vcv ； i-fida*tio^ pass-phvrasc w /> 



丁 he u sou\rdc W o( the is the 

o( the PHP s^v-ipt -that 

dy^\ca\\y the CAPTCHA 

This wo\rks because the 


Tk CAPTCrtA 
> s 

d'is\>la7cd 
Jpo'rw "to 

3 vcv*i-f 

tc%t ^' lC ' d * 




dap-Uha php script \rctu\rhS av\ 
irwage di\re^tly "to the b\rowscv- via 
irwagcphgO av\d a header. 



PmisKcd! O^t mo^rc step -to 30 . 

❺ DiSpSay tha-€APTCHA Imag^Gri the Guitar Wars 
Add Score form and the user to enter the 
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visualizing your data... and more! 


Add CAPTCHA to the Add Score script 

On the client side of the equation, the adds core • php script contains the 
new Verification text field with the CAPTCHA image beside it. The most 
important change, however, is the new if statement in the Add Score script 
(Step 4) that checks to make sure the user-entered pass-phrase matches the 
CAPTCHA pass-phrase. 




<?卿 

session—start () ， 

?> 

<html> 

<head> Your High Score</title> 

</head> 

< ^Guitar Wars - Add Your High Score</h2> 

< require once ('appvars.php ')； ^ 

require^onceC connectvars .php ) ， 

if (isset($_POST[ , submit , ])) { 

// Connect—to the USER, DB PASSWORD, DB—NAME) 

$dbc = mysqli_connect (DB—HO ST, 此一 一 

// Grab the score d^ta trim ($ POST [' name ']) 

$name ‘ trim( ^poST rsco r e ； 

$score =mysqli_rea P string ($dbc, trim($_FILE 

$screenshot = mysqli rea scre enshotM [' type ']； 

$screenshot_type = |_FILES ? otM ['sizeM ； 

$screenshot__size - $__FILbb [_ _ _ ,_ 

/^Taieck the CAPTCHA pass-phrase for 

《user pass—Phrase = shal ($ PO^ [ ve Y ’ hrase) 

if ($3ESSI0N['pass_phrase ] -扣 ser— P 一 


o 




■eritered- 


CAFTCKm 

pass-phrase^ 

l^cVc a\\ dohe/ 


screenshot']['name ']))； 


• • • , -to'h-rpx9.ctlv shown * 〈 /p> 

else { n the verification pass-phrase exact Y 

echo .<P class=^error^>Please enter the ver _ _ 


?> 


echo $ SERVER ['PHP_SELF'] ； ?>"> 

ffL^enctype-^ultxpart/^^^^^^ G W_MAX F ILESIZE;/> 

<input type="hidden nam= 一 / ($name) ) echo $ name; ?> n /Xbr /> 

<labe ^ name-name- value-< ?P hP if (! 咖财伽 ） . 9> ” /><br 

S ^sco r e ；； ^ o </^„^ value ,, ?php lf (恤 • 

〈十冗， ^ V erify^>Verification: </ ， bel> ” ， Enter the pass-phrase . ^ /> 

逢 C 二二 l p 【 ss - phrase ”/> w,s -. s ，以 




type-submit- value-Add» name-submxt^ /> 

</form> 

</body> 

</html> 


L/b— ?ay 




addscore.php 
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test drive addscore.php with captcha functionality 




Tesr DriVq 


Modify the Add Score script to support CAPTCHA. 

Change the adds core • php script so that it has a new Verification form field, as well 
as using the captcha . php script to display a CAPTCHA image. Also add the code 
to check and make sure the user entered the correct pass-phrase before adding a score. 


Upload both scripts to your web server, and then open adds core • php in a web 
browser. Try to add a new score without entering a CAPTCHA pass-phrase. Now try 
again after entering the pass-phrase displayed in the CAPTCHA image. 


A O w 讲， vwr -- 

Guitar Wa^ • Add Yotir High Score 

i°i n o 


OuV wodcv-a*tov- 

-fmallY some fcatc 
*bo a 

of out o ^ iy \. 



Name 

SMSK 

SUTTOl 




Cultif WjLfT ~ Add Hl—tl v 。， 


n Jtc*: 


W 

►mac 




_ Guitar Wars - Add Your High Score 


Pkii* «il#t ihe vtriFk'fitkini cxiHlIy ox slwmn. 



1 


Guitar Wars HighiSccir^ 



A ^ohs-bh-tly dhah9ih0 CAPTCHA 

pass-ph\rasc makes it iough 
au-to^ated bots -to spa^ -the 

与 iA’_ta\r Wars -fov-m. 
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visualizing your data... and more! 



Can I use the GD functions to 
create images in formats other than PNG? 

Yes. The imagegif () and 
image j peg () functions work very 
similarly to imagepng ( ) but create GIF 
and JPEG images, respectively. 

Can the image creation functions 
create images with transparency? 

Yes! There is a function called 
imagecolortransparent() 
that sets a color as a transparent color 
within an image. This must be a color 
that you’ve already created using the 
imagecolorallocate () function. 
After setting the color as transparent, 
anything drawn with that color in the image 
will be considered transparent. To generate 
the image with transparency, just call 
imagegif ( ) or imagepng ( ); you 
can't use image jpeg ( ) because JPEG 
images don’t support transparency. 

When using imagepng () to 
output a PNG image directly to the client 
browser, where is the .png file for the 
image stored, and what is its name? 


^^^BUILET POINTS 


费 

• There is no .png file for the image, 
and the reason is because the image isn’t 
stored in a file. Instead, the imagepng () 
function generates a binary PNG image in 
memory on the server and then delivers it 
directly to the browser via a header. Since 
the image data is created and sent directly 
to the browser, there's no need to store it in 
an image file. 

Is that why I’m able to put the name 
of the CAPTCHA script directly in the 
src attribute of an <img> tag? 


That’s correct. Referencing a PHP 
script in the src attribute of an <img> 
tag, as was done with the captcha.php 
script in Guitar Wars, results in the image 
being delivered directly by the script. This is 
in contrast to the normal way the <img> 
tag works, where the name of an image 
file is specified in the src attribute. Since 
the script is sourcing the image directly to 
the browser through a header (by way of 
the imagepng () function), no file is 
involved. And the browser knows to connect 
the image from the header to the <img> 
tag because the script is specified in the 
src attribute. 




All web forms are at risk of attack from spam bots, but 
all spam bots are at risk from clever PHP programmers 
who use techniques such as CAPTCHA to thwart them. 

GD is a standard PHP graphics library that allows you 
to dynamically create images and then draw all kinds of 
different graphics and text on them. 


The createtruecolorimage () GD function is 
used to create a blank image for drawing. 

To output a PNG image to the browser or to a file on the 
server, call the imagepng () GD function. 

When you’re finished working with an image, call 
imagedestroy () to clean up after it. 


you are here ► 
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visualizing mismatch’s data 


Five degrees of opposability 

Since Mismatch is a community of registered (human!) users, spam bots haven’t 
been a problem. However, users want a little more out of the mismatch feature 
of the site, primarily the “five degrees of opposability” that they’ve been hearing 
about. Mismatch users want more than just a list of topics for their ideal 
mismatch — they want some visual context of how those topics break down for 
each major category of “mismatchiness.” 


I see a bunch of topics, but I dorVt 
really know how we mismatch in different 
categories. I was sold on the ''five degrees 
of opposability/ but I caiVt even see how 
they relate to my mismatch. What gives? 


MismatcVs 
ff iive ctegrees 
ol opposatility^ 
involves measuring 
mismatcltect topics 
ty category 




o 
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visualizing your data... and more! 


Charting mismatchmess 

If you recall, Mismatch includes a categorized questionnaire where users selcet 
Love or Hate for a variety of topics. These responses are what determine the 
topics for an ideal mismatch. When presenting a user’s ideal mismatch, the My 
Mismatch script displays a list of mismatched topics that it builds as an array 
from the Mismatch database. But users now want more than a list of topics... 
they want a visual categorized breakdown of their “mismatchiness，” perhaps in 
the form of a bar graph? 
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Draw a bar graph for the Mismatch data that 
visually shows the “five degrees of opposability” for 
Belita and Jason. Annotate what the information in 
the bar graph means. 
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storing graph data in arrays 


BteRctSe 

SoLytiOH 


Draw a bar graph for the Mismatch data that visually shows the “five degrees of opposability’ 
for Belita and Jason. Annotate what the information in the bar graph means. 
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Storing bar graph data 


When it comes down to it, the data behind a bar graph is perhaps even 
more important than the graphics. Knowing that a bar graph is really just a 
collection of headings and values, we can view the data for a bar graph as a two- 
dimensional array where the main array stores the bars, while each sub-array 
stores the heading/value pair for each bar. 


它 a 乩 sub-av-\ray shorts tiic 
V^adi% and value (or a 
aivcr\ bav- m bav yaph. 

/ 


Value 




Hcad'm^ I 


$graph—data = array( 
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visualizing your data... and more! 



Does a bar graph have to be fed with a two-dimensional 
array of data? 

费 

• No, not at all. But keep in mind that each bar in a bar graph 
typically involves two pieces of information: a heading and a value. 
And each bar graph consists of multiple bars, so a two-dimensional 


array is a logical and efficient way to store data for use in populating 
a bar graph. As the old saying goes, "If you only see one solution, 
you really don’t understand the problem." In this case, the problem 
is how to best store the data that is injected into a bar graph, and 
one particular solution that works out pretty well is a two-dimensional 
array. Of course, the challenge still remaining is how exactly to build 
this two-dimensional array of Mismatch category totals. The first step 
is to isolate what data in the database factors into the solution. 




E%eitciSe 


The database schema for the Mismatch application is shown below. Circle all of the pieces 
of data that factor into the dynamic generation of the “five degrees of opposability” bar graph, 
making sure to annotate how they are used to create the graph. 


mismatch user 


user id O—^ 




username 


password 


join date 


first name 


last name 


gender 


birthdate 


city 


state 


picture 


mismatch^cgtegory 

categoryjd 


name 


mismatch_response^ 

resp onse_i d 

response 

idCW 


user 



mismatch 一 topic 


topicjd 


name 


categoryjd 4 


you are here ► 


633 










































exercise solution 


§OLytiOH 


The database schema for the Mismatch application is shown below. Circle all of the pieces 
of data that factor into the dynamic generation of the “five degrees of opposability” bar graph, 
making sure to annotate how they are used to create the graph. 
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visualizing your data... and more! 



This week’s interview: 

Reading between the lines with the 
master of charts 


Head First ： So you’re the guy people call when they 
need a visual representation of some data. Is that right? 

Bar Graph ： Oh yeah. I’m adept at all facets of data 
visualization, especially the rectangular variety. 

Head First ： So your drawing capabilities are limited 
mostly to rectangles? 

Bar Graph: I’d say “limited” is a strong word in this 
case. It’s one of those deals where simpler is better — 
people just seem to relate to the bars, maybe because 
they’re used to seeing things measured that way. You 
know, like the little meter on mobile phones that tells you 
how good your signal is. “Can you hear me now?” I love 
that. 

Head First: Right. But I’ve also seen some pretty 
effective graphs that are round. Makes me think 
comforting thoughts... like apple pie, know what I mean? 

Bar Graph ： I know where you’re headed, and I’m 
fully aware of Pie Chart. Look, it’s two different ways of 
thinking about the same thing. Pie Chart sees the world in 
curves; I see it a bit straighter, that’s all. 

Head First ： But don’t people inherently relate better to 
pie than a bunch of bars? 

Bar Graph ： No, they don’t. At least people who 
aren’t hungry don’t. You see, Pie Chart is really good 
at revealing parts of a whole, where the data being 
represented adds up to something that matters, like 100%, 
32 teams, or 50 states. There are 50 states, right? 

Head First: Yes. Well, assuming you count Washington, 
D.G. as a “capital district” and places like Puerto Rico 
and Guam as “territories.” But anyway, I see what you’re 
saying about Pie Chart being more about revealing parts 
of a whole, but don’t you do the same thing? 

Bar Graph ： Yes, but keep in mind that I’m much more 
flexible than Pie Chart. You can add as many bars to me 
as you want and I have no problem at all showing them. 


The more you add to Pie Chart, the smaller the slices 
have to get. At some point the parts get hard to visualize 
because of the whole. All that matters with me is that the 
bars all have values that can show up on the same scale. 

Head First ： What does that mean? 

Bar Graph ： Well, it’s difficult for me to graph things that 
have wildly different values, unless of course, you don’t 
mind the bars being dramatically different. Where I really 
excel is at showing the difference between values that are 
within the same range. For example, maybe you want 
to use me to show the price of gasoline over a one-year 
period, in which case all the values would be within a 
reasonably constrained range, like within a few dollars of 
each other. 

Head First ： You sure about that? 

Bar Graph ： I know, the price of gasoline seems like a 
wildly varying value, but not really within the realm of 
what I deal with. 

Head First: So you’ve seen some wild stuff, eh? 

Bar Graph ： You wouldn’t believe some of it. I once 
had a guy who built a web application that kept up with 
how many miles he dragged his mouse in a given month. 
He blogged about it constantly, and used me to chart his 
“travels.” Pretty crazy but people loved it. 

Head First ： So is that where you fit into the web 
picture — providing visual glimpses into people’s data? 

Bar Graph ： Yeah, I guess so. Anytime I can drop into 
a page and provide some eye appeal to data that might 
otherwise be a little dull and hard to grasp, I consider it a 
good day. 

Head First ： Glad to hear it. Hey, I appreciate you 
sharing your thoughts, and I hope we can do this again. 

Bar Graph ： It was my pleasure. And don^ worry, you’ll 
be seeing me around. 
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building an array for categories 


From one array to another 


When we last left off at Mismatch, we had a list of topics that corresponded 
to mismatches between two users. More specifically, we really have an array 
of topics. Problem is, the bar graph we’re trying to draw isn’t about topics 
per se — it’s about the categories that are associated with the topics. So we’re 
one level removed from the data we actually need. It appears that some additional 
SQL querying is in order. Not only do we need the array of mismatched topics, 
but we also need a similar, parallel array of mismatched categories. 
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$query = "SELECT mr•response_id, mr.topic_id, mr.response, 
mt.name AS topic_name, me.name AS category—name ". 

"FROM mismatch_response AS mr ". 

X "INNER JOIN mismatch—topic AS mt USING (topic_id)". 

'’INNER JOIN mismatch 一 category AS me USING (category—id) 
"WHERE mr.user id = '" . $ SESSION[▼user id，]."'"; 



The additional join in this query causes the category name corresponding to 
each response topic to be tacked on to the result data, ultimately making its 
way into the $user_responses array. But remember, we need only the 
mismatched categories, not all of the categories. We need to build another 
array containing just the mismatched categories for the responses. 
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But we’re still falling short of our goal of building 
an array of mismatched categories. To do that, we 
need to revisit the code that builds the array of 
mismatched topics... 


$user responses 
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visualizing your data... and more! 




Tesr DriVq 


Try out the new query to grab mismatched topics and categories. 

Using a MySQL tool, issue the following query to SELECT mismatched topics and categories 
for a specific user. Make sure to specify a user ID for a user who not only exists in the database, 
but who also has filled out the Mismatch questionnaire form: 


SELECT mr.response_id f mr.topic_id f mr.response, 
mt.name AS topic_name, me.name AS category_name 
FROM mismatch_response AS mr 

INNER JOIN mismatch—topic AS mt USING (topic_id) 

INNER JOIN mismatch—category AS me USING (category_id) 
WHERE mr.user id = 3; 
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building an array for topics 


Puild an array of mismatched topics 

We now have a query that performs a multiple join to grab the category 
of each response in addition to the topic, which is then extracted into the 
$user_responses array. Remember that another similar query also grabs 
data for each other user in the database so that mismatch comparisons can be 
made. So $user_responses holds the response data for the user logged 
in to Mismatch, while $mismatch_responses holds one of the other 
users in the system. This allows us to loop through all of the users and update 
$mismatch_responses for each mismatch user comparison. 

We’re already using these two arrays to score mismatches and build an array 
of mismatched topics. We can now add a new line of code to also construct 
an array of mismatched categories — this array contains the category of 
each mismatched topic between two users. 
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$categories = array(); 

for ($i = 0; $i < count($user_responses); $i++) { 

if ($user_responses[$i] ['response'] + $mismatch_responses[$i] [ 1 response'] == 3) 
$score += 1; 

array_push($topics, $user_responses[$i]['topic_name '])； 
array_push($categories, $user_responses[$i]['category—name']); 
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I’m a little confused. What’s the difference between a 
MySQL result set and a PHP array? 

9 

• One big difference is access. A result set is only made available 
a row of data at a time, while an array can hold multiple “rows” of 
data thanks to multiple dimensions. Extracting a result set into a 
two-dimensional array lets us move through rows of data efficiently 
without having to constantly go back to the database server to fetch 
and re-fetch rows. This doesn't work with huge sets of data, as you’d 
be creating huge arrays, but in the case of Mismatch responses, the 
arrays are never larger than the total number of topics in the system. 


Don’t we still need to count how many times a category 
was mismatched in order to generate the bar graph? 

Yes. An array of mismatched categories is not enough. 
Remember that the idea behind the Mismatch bar graph is that each 
bar represents a mismatched category, and the height of the bar 
represents how many times the category was mismatched. So we 
need to come up with a count of how many times each category was 
mismatched. But it’s probably worth taking a step back to formulate a 
general plan of attack... 
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visualizing your data... and more! 


Formulating a bar graphing plan 


With an array of mismatched categories and a bunch of big ideas about how 
to use it to generate a bar graph image for the My Mismatch page, we’re still 
missing a plan. As it turns out, there are only three steps required to dynamically 
generate the bar graph, and we’ve already knocked out one of them. 





cate gory names- 


TK*»s s*tc\> pv-ov'idcs 
us lis*b 

m'»sma*b^cdi tatc^oncs. 


The list o( datcgov-ics 
needs "to be dohvcv-tcd ih-fco 

❻ Calculate the mismatch totals for each category. __" a list of 


❺ Draw the bar graph using the categorized 
mismatch totals. 


To complete Step 2 of our plan, we somehow need to take the array of 
mismatched categories and turn it into a set of category totals, meaning 
a count of how many times each category appears in the mismatched 
category array. If you recall, this is precisely the kind of data required to 
drive a bar graph, where the categories are the headings and the count for 
each category is the value of each bar. A two-dimensional array can be 
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Once this array of category totals is built, we’ll be ready to move on to Step 3 
and actually use some GD functions to crank out the bar graph visuals. 
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some array math 


Crunching categories 

The challenge now is to get the array of categories totaled up and put into a 
two-dimensional array of headings and values. We have an array of mismatched 
categories stored in the $categories array. We need to build a new array 
called $ cate gory—totals that contains one entry for each category, along 
with the number of mismatches for each. 


We need to 
go from this... 

The "to^l humbev of 






How would you go about totaling the mismatched 
categories in the $categories array to build the 
two-dimensional $category totals array? 
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visualizing your data... and more! 


l?omg the category math 

Moving from a one-dimensional array of mismatched categories to a two- 
dimensional array of category totals is a bit trickier than you might think at first 
glance. For this reason, it’s helpful to work through the solution in pseudocode 
before actually cranking out any PHP. Pseudocode frees you from syntactical 
details and allows you to focus on the core ideas involved in a particular coding 
solution. 

Create a new two-dimensional array to store the category totals, making sure to 
initialize the first element with the first mismatched category and a count of 0. 

Loop through the array of mismatched categories. For each category in the array... 

Is the last element in the category totals array a different category than the 
current mismatched category? 

♦ Yes! This is a new category so add it to the category totals array 
and initialize its count to 0. 

♦ No. This is another instance of the current category, so increment 
the count of the last element in the category totals array. 

The product of this code is a two-dimensional array of category totals where the 
main array holds a single category, while each sub-array contains the category 
name and its value. 


Translate the pseudocode to finish the real PHP code that builds a two-dimensional array of 
Mismatch category data called $category—totals. 

$category_totals = array(array($mismatch—categories[0], 0)); 
foreach ($mismatch—categories as $category) { 
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exercise solution 


BceRctSe 

©OLytiOH 


Translate the pseudocode to finish the real PHP code that builds a two-dimensional array of 
Mismatch category data called $category—totals. 
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visualizing your data... and more! 



Dumb Quest? 


9ns 


What happens to the category total code if the categories in the $mismatch_categories array 
aren’t in order? 



Big problems. The code is entirely dependent upon the categories in the $mismatch_categories 
array being in order. This is revealed in how the code assumes that any change in the category is the start of a new 
category, which works as long as categories are grouped together. Fortunately, the query in the Questionnaire script 
that originally selects topics for insertion into the mismatch_response table is smart enough to order the 
responses by category. 

SELECT topic—id FROM mismatch—topic ORDER BY category—id, topic—id 

This query is the one that first grabs topics from the database and then inserts them as empty responses for a given 
user. This ensures that user responses are stored in the database ordered by category, which allows the category 
total code to work properly. 

But isn’t it risky writing code that is dependent upon the order of data stored in a database table? 

Yes and no. Remember that this database is entirely controlled by script code that you write, so the order of 
the data really only changes if you write script code that changes it. Even so, an argument could certainly be made 
for ordering the join query in the My Mismatch script by category to make absolutely sure that the mismatched 
category list is in order. 
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drawing a bar graph 


Par graphing basics 

With a shiny new two-dimensional array of mismatched category data burning a 
hole in your pocket, it’s time to get down to the business of drawing a bar graph. 
But rather than focus on the specifics of drawing the Mismatch bar graph, why 
not take a more generic approach? If you design and create an all-purpose bar 
graph function, it’s possible to use it for Mismatch and have it at your disposal 
for any future bar graphing needs. In other words, it’s reusable. This new 
function must perform a series of steps to successfully render a bar graph from a 
two-dimensional array of data. 


o 

[ 伽 p £ 

\mow< 


❹ Create the image. 

Create the colors you'll be using to draw the graphics and text 
Fill the background with a background color. 

Draw the bars and headings. 

Draw a rectangle around the entire bar graph. 

Draw the range up the left side of the graph. 

❹ Write the bar graph to an image file. 


Tiic value o-f catii bav- 
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visualizing your data... and more! 



PHP Magnets 


The My Mismatch script contains a new draw_bar_graph () function that takes care of drawing a bar 
graph given a width, height, a two-dimensional array of graph data, a maximum value for the range, and 
a filename for the resulting PNG image. Use the magnets to add the missing GD drawing function calls. 


function draw_bar_graph ($width A $height, $data, 

/ / Create the"empty graph image 


$max value, $filename) { 


$img 


($width, $height); 


0 / / set a white background with black text and gray graphics 

($img, 255, 255, 255); 


$bg_color =.. 
$text_color = 
$bar_color = 
$border color 


// white 

($img, 255, 255, 255) ; // white 

($img, 0, 0, 0) ; // black 

($img, 192 , 192, 192) ; / / light gray 


// Fill the background 

($img, 0 r 0 r $width, $height, $bg_color); 

// Draw the bars 、士。、 ， i 、 . 

$bar width =$width / ((count($data) 2) ’ 

for「$i = 0; $i < count ($data) ; $i++) { 

($img, ($i * $bar_width* 2) + $bar_width, $height, 

($i * $bar_width-2) + ($bar_wicLth-2), $height - ( (^height / $max_value) - $data[$i] [1] ) , $bar_color); 

($img, 5, ($i * $bar_width * 2) + ($bar_width) , $height - 5, $data[$i] [0] , 


0 

Q 


$text_color); 

} _ 

// Draw a rectangle around the whole thing 

($img, 0,0, $width - l f $height - l r $border_color); 

// Draw the range up the left side of the graph 
for ($i = 1; $i <= $max_value; $i++) { 


($img, 5, 0, $height - ($i* ($height / $max_value)), $i, $bar_color); 


6 

▲ 


// write the graph image to a file 

($img, $filename, 5); 

($img); 


imagecreatetruecolor 


image fi1ledrectangle 


imagestringup 


imagerectangle I 


imagedestroy 


imagecolorallocate 


imagecolorallocate 


imagepng 

■ - 


imagestrin 



inicLg© co lo rail o cate 

imagefilledrectangle 



imagecolorallocate 
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php magnets solution 



PHP Magnets Solution 


The My Mismatch script contains a new draw_bar_graph () function that takes care of drawing a bar 
graph given a width, height, a two-dimensional array of graph data, a maximum value for the range, and 
a filename for the resulting PNG image. Use the magnets to add the missing GD drawing function calls. 



function draw_bar_graph($width, $height, $data, $max_value, $filename) { 

// Create the empty graph image - rivs-fc dvcatc a bUhk 


— $img= .. imagecreatetruecolor i ($width, $height); 

// Set a white background with black text and gray graphics 


-Pov- dirawih^. 


hCW 


$bg_color =.. 
$text_color 
$bar color= 


imagecolorallocate |($img, 255, 255, 255) ; //white 

255 , 255, 255); //white 


$border_color 


— < 

imagecolorallocate | 

oral locate 


// Fill the background 


6 


imagefilledrectangle 


($img, 0, 0, 0) ; // black 

($img, 192 , 192 , 192) ; // light gray 

Clear -the ba^kg\rouhd -fco yt it veady 
-the ba\r gv-aphi^s. 



Cv-ca-tc some 

tolovs *to use -fov 
dv-aWm^ pav-*U 
o-f bav yafiv 


// Draw the bars 、一、 … 

$bar width =$width / ((count($data) 2) , 

for「$i = 0; $i < count ($data) ; $i++) { 


imagefilledrectangle 


(Timg, 0,0, $width, $height, $bg_color); 

pv-aw a bav as a 
billed 

($i * $bar_width * 2) + $bar_width, $height r 


($ i ， $ bar_width * 2) + ($bar_wicLth * 2) , $height - ( ($height / $max_value) - $data[$i] [1]), $bar_color); 

($i * $bar width * 2) + ($bar_width) , $height - 5, $data [$i] [0], 


imagestringup 


$text color); 


0 

Q 


gup L ($img, 5, ($i * $bar_widl 

Dv*aw "the -fov* the bdv~ ds B 

o( ovic^icd wti 匕 ally. 


// Draw a rectangle around the whole thing 

imagerectangle^.($^^ 0,0, $width -_1, height-1, $ border_color); 


Pv-a>/ a vc 匕 avou 灼 d 

cr\*tiv-c bav yapii- 


// Draw the range up the left side of the grap 
for ($i = 1; $i <= $max_value; $i++) { 



▲ 


imagestr 


: ring | 


($img, 5, 0 r $height - ($i ^ ($height / $max_value)) 

f_. -the \rahgc up the Ic-ft side 

o*P the Bs ho\rrwolI hovizjoh-tcll 

// Write the graph image to a file s-t\rmgs o( text 

C C 


$i r $bar color); 


aaepna | 


imagedestroy 


($img); 


a 


义 一 Vcsbroy -the ih 

^Crwov-y -fco 


The -foldcv- oy\ *thc sewev- y/hc\rc "the -file is *to be v/\ri*t*tcr\ 
mus-t be v/\ri-tcablc m order -fo\r *this *to wovk. 
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tWei^re no o 

Dumb Questions 


visualizing your data... and more! 


Why does the draw 一 bar 一 graph () function write the 
bar graph image to a file instead of just returning it directly to the 
browser? 

Because the function isn’t contained within its own script that 
can return an image through a header to the browser. Remember, 
the only way to return a dynamically generated image directly to 
the browser is for a script to use a header, meaning that the entire 
purpose of the script has to be the generation of the image. 

So then why isn’t the draw_bar_graph () function 
placed in its own script so that it can return the bar graph image 
directly to the browser using a header? 

While it is a good idea to place the function in its own script 
for the purposes of making it more reusable, there is still a problem 
when it comes to returning an image via a header. The problem 
has to do with how you reuse code. When code is included in a 
script using include, include_once, require, or 
require once, the code is dropped into the script as if it had 


originally existed there. This works great for code that doesn’t do 
anything that manipulates the browser. But sending a header impacts 
the output of a script, which can be problematic for included code. 

It’s not that you can’t send a header from included code; you've 
actually done so in earlier examples. The problem is that you have 
to be extremely careful, and in some cases it isn’t safe to assume 
that headers haven't already been sent. The My Mismatch script, for 
example, can’t return an image to the browser because its job is to 
output HTML code containing mismatch results. Including script code 
that dynamically generates and returns an image would cause a 
header conflict. 

OK, so can I just reference the bar graph code like the 
captcha. php script from Guitar Wars. That seemed to work 
fine without an include, right? 

Yes, it did, and it referenced the captcha. php script 
directly from the src attribute of an <img> tag. The problem here 
is that we have a lot of data that needs to be passed to the bar graph 
code, and this would be very cumbersome to try and pass via GET or 
POST. 


Praw and display the bar graph image 

The draw_bar_graph () function makes it possible to dynamically generate 
a bar graph image, provided you give it the proper information. In the case of 
the Mismatch bar graph, this involves sending along a suitable width and height 
that works on the My Mismatch page (480x240), the two-dimensional array of 
mismatched category data, 5 as the maximum range value (maximum number 
of mismatch topics per category), and a suitable upload path and filename for 
the resulting bar graph image. After calling the function, the image is generated 
and suitable for display using an HTML <img> tag. 

echo '<h4>Mismatched category breakdown : </h4>'; 


-Pile gchcv-atcd by 
ull is 


The 

"this 十 dall is 

a^d is sWd 

° h 七 k SCWClr m the path 

idch-ti-Picd by MMJA?LOAV?KTW. 


draw bar graph(480, 240, $category totals, 5 , MM UPLOADPATH . 'mymismatchgraph.png'); 


echo ' <img src: 


MM UPLOADPATH . 'mymismatchgraph.png" alt= M Mismatch category graph" / ><br / >'; 


the help o( a \rcusablc fuWioh, 
it s possible -feo go -P\rom ddidbase data 
■to a ba\r giraph sioved ih av\ -file. 


Appearance 

3 

Entertainment 

4 

Food 

4 

People 

2 

Activities 

5 





TiiC sdmC 

•filers 你 c avc spcdi-ficd m svd 


i ⑽ 

itioio* 

OOICU 

mymismatchgraph.png 
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test out mismatch, now with bar graphs 




Tqst DriVq 


Create the My Mismatch script and try it out. 

Create a new text file named mymismatch . php, and enter the code for the My Mismatch 
script (or download the script from the Head First Labs site at www. headfirst labs • com/ 
books/hfphp). Also add a new menu item for My Mismatch to the navmenu . php script. 

Upload the scripts to your web server, and then open the main Mismatch page (index . php) 
in a web browser. Log in if you aren’t already logged in, and the click “My Mismatch” on the 
main navigation menu. Congratulations, this is your ideal mismatch! 




Mifiraalth ■■ My Miamutth 

Harr : ■ ， Vfcw Ijdv'J 




— Mv 兄 l^maKb 擎 


.laiuvi 

Holiyviood.CA 


i 


Ynu sarv m&jmilt'hL'rt rm the 1 falLawiiqi 1H iapiw 】 

TfliEMM ccwtm) 1 boots LC0|liair 

iinmt rw 彻 llHfifilr^ musk: m yra SusJiL 

Swv fewd PteHnut bullcr 喪 banana. MnJwidrtu Marlinii RiU riate 

KarMfis Hiking 

MbrnMeli^d caLtRiirv breakdu^ni 


ft 


3 


7 


Now thafs what I’m talking 
about! The visual category 
breakdown is all I needed to 
see to know Jasons the one. 


丁 he "topics have 

beeh \re^o\nmsiicd 
•… "to a table -to 
\room -foV" 

七 he bav- gvaph. 


The ba\r gv-aph -Pi-ts 
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Draw the bar graph usirsg the 
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visualizing your data... and more! 



So I’m curious, how are we able to store 
the My Mismatch bar graph image in 
a single file when a unique image is 
generated for every different user? 


A bit of luck, as it turns out. 

It’s true, there is only one bar graph image at any given time, no matter how 
many users there are. This could present a problem if two users ever happen 
to view the My Mismatch page at the exact same moment. We run the risk of 
generating separate images for the two people and then trying to write them to a 
single image file. 

This problem is probably fairly isolated in reality, but as Mismatch grows in 
popularity and expands to thousands and thousands of users, it could become 
significant. The fact that each one of the users thinks of the bar graph image as 
their own is a clue that there’s a weakness in the single image bar graph design. 


ttcvc dlcavly have tWee 
bav 

•m vicv^z, bu*t kr\ov/ or\ly ov\t 
imd^C -f ile is used *to 七 hem. 


tij lima 叫 



I ⑽ 

Jj3«_ 


mymismatchgraph.png 


A single image is 
continuously regenerated 
for every user’s My 
Mismatch bar graph. 




How would you change the Mismatch 
code to ensure that users don’t share 
the same bar graph image? 
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a bar graph for every user 


Individual bar graph images for all 


The solution to the shared bar graph image problem lies in generating multiple 
images, one for every user, in fact. But we still need to ensure that each of 
these images is tied to exactly one user and no more. That’s where a familiar 
database design element comes into play... the primary key! The primary key 
for the mismatch_user table, user—id，uniquely identifies each user, and 
therefore provides an excellent way to uniquely name each bar graph image and 
also associate it with a user. All we have to do is prepend the users’ IDs to the 
filename of their bar graph image. 

TTie usc\r_id dolurwh 
selves as -the pv-imav-y 
key -Pov- the usev- table- 


Oy\t ba\r g\raph 

a" uscv*s _ 

匕 ih "the Ioh0 \ruh- 


(^^lymismatchgraph.png 



cadK 七 usevs 
-tiiciv" ov/r\ bav 

imd^c elWmates a 
s'm^le ima^e 七 Wou—u 七 
i\\c ⑼ live 



usev* ― id doluw'^ of 
usev- table is fv-cfci^dcd *to 
filename ca^ user's bar 

assuv-mj um<\ucr\css 


ymismatchgraph.png 
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visualizing your data... and more! 


thereiare no o 

Dumb Questions 


Is there any advantage to outputting dynamically 
generated images as PNG images versus GIFs or JPEGs? 

No, none beyond the reasons you would choose one image 
format over another for static images. For example, GIFs and PNGs 
are better for vector-type graphics, whereas JPEGs are better for 
photorealistic graphics. In the case of Mismatch, we’re dealing with 
vector graphics, so either PNG or GIF would work fine. PNG happens 
to be a more modern image standard, which is why it was used, but 
GIF would've worked too. To output a GD image to a GIF and JPEG, 
respectively, call the imagegif () and image jpeg () 
functions. 

How do I know what compression level to use when 
outputting PNG images to a file? 

The compression level settings for the imagepng () 
function enter the picture when outputting a PNG image to a file, and 
they range from 0 (no compression) to 9 (maximum compression). 
There are no hard rules about how much compression to use when, 
so you may want to experiment with different settings. Mismatch uses 
5 as the compression level for the bar graphs, which appears to be a 
decent tradeoff between quality and efficiency. 


Are there file storage issues introduced by generating a 
bar graph image for each user? 

No, not really. This question relates back to the compression 
level question to some degree, but it’s unlikely that you'll overwhelm 
your server with too many or too huge files unless you really go crazy 
generating thousands of large image files. As an example, consider 
that the Mismatch bar graph images average about 2 KB each, so 
even if the site blows up and has 50,000 users, you’re talking about a 
grand total of 100 MB in bar graph images. Granted, that’s a decent 
little chunk of web hosting space, but a site with 50,000 users should 
be generating plenty of cash to offset that kind of storage. 




E%eftciSe 


Below is the Mismatch code that dynamically generates a bar graph image and then displays 
it on the page. Rewrite the code so that it generates a unique image for each user. Hint: use 
$—session [ ▼ user—id' ] to build a unique image filename for each user. 


echo ' <h4>Mismatched category breakdown : </h4> '; 

draw bar graph (480, 240, $category totals, 5, MM UPLOADPATH . 'mymismatchgraph.png'); 


echo ' <img src ； 


MM UPLOADPATH . 'mymismatchgraph.png" alt= M Mismatch category graph" / ><br / > 
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exercise solution 



EoteRciSe 

§OLytiOH 


Below is the Mismatch code that dynamically generates a bar graph image and then displays 
it on the page. Rewrite the code so that it generates a unique image for each user. Hint: use 
$ session ['user id ' ] to build a unique image filename for each user. 


echo ' <h4>Mismatched category breakdown : </h4> '; 

draw bar graph (480, 240, $category totals, 5, MM UPLOADPATH . 'mymismatchgraph.png'); 


echo ' <img src ； 


MM UPLOADPATH . 'mymismatchgraph.png M alt= M Mismatch category graph" / ><br / > 


The sla^da^rd -f ile upload 
^a*t^ used *to 

ensure —ay 

is s*bov*cd dcs»vcd 

ov\ 七 he scv-vcv*. 


Make suve *tKis -Poldev- oy\ *thc 
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-Pile be 



丁 he uhi^uc image follows 

the -Po\rrw 
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cdho ^h^Mismatdlicdl da*tcjo\ry b\reakdo>m:</l^>’; 



Jp.—n 砂 f 5 

MM__UPLOAPPATtt . f—SESS|0N[Vse\r 」 d’]. 

tC\\o s\rd 二 ", • MA1^_UPL0APPATH' • f^_SESS|0Kt 1 usc\r^_id ， 3 . mymisma-tdlijv-aph 

ali— u /l/Iisma-tdii daiejov-y /><bv- />; 
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dwdy m d session vav"i3blc. 



丁 he Sdv^C iw\3^C -f ilcir\3w\C is used 
*tV)C sv-t a*t*tv"ibu*tc 
i\\t <*im 5 > -taj -for -tiic bav- 
yaph \y^ HTML- todc- 




Tesr DriVq 


Change the My Mismatch script to generate unique bar graph images. 

Modify the My Mismatch script so that it generates a unique bar graph image for each user. 
Upload the mymismatch . php script to your web server, and then open it in a web browser. 
The page won’t look any different, but you can view source on it to see that the bar graph 
image now has a unique filename. 
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visualizing your data... and more! 


Mismatch users are digging the bar graphs 

With the shared bar graph image problem solved, you’ve helped eliminate 
a potential long-term performance bottleneck as more and more users join 
Mismatch and take advantage of the “five degrees of opposability” graph. Each 
user now generates their own unique bar graph image when viewing their ideal 
mismatch. Fortunately, this fix took place behind the scenes, unbeknownst to 
users, who are really taking advantage of the mismatch data in the hopes of 
making a love connection. 
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php & mysql toolbox 



,^ 4： Your PHP ^ MySQL Toolbox 


Dynamic graphics open up all kinds 
of interesting possibilities in terms 
of building PHP scripts that generate 
custom images on the fly. Let’s recap 
what makes it all possible. 


CAPTCttA 

A pv-o^v-arw pv-o-tcdts a v/cb 
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visualizing your data... and more! 



PHP&MySQLcposs 

When you could actually use a robot, they’re nowhere to 
be found. Oh well, your analog brain is up to the challenge 
of solving this little puzzle. 



Across 

I. This PHP graphics function draws a line. 

6. The visual used to show how mismatched users compare on 
a categorized basis. 

7. To generate custom bar graph images for each user in 
Mismatch, this piece of information is used as part of the image 
filename. 

8. Mismatch uses this kind of array to store bar graph data. 

10. Give it two points and this graphics function will draw a 
rectangle. 

II. If you want to draw text in a certain font, call the image...text 
()function. 

13. Always clean up after working with an image in PHP by 
calling this function. 

14. Call this graphics function to create a new image. 


Down 

2. The name of PHP's graphics library. 

3. Call this function to output an image as a PNG. 

4. Owen's ideal mismatch. 

5. Mismatch uses a bar graph to compare users based upon 

"five degrees of. 

9. A test used to distinguish between people and automated 
spam bots. 

12. When PHP outputs an image, the image is either sent 
directly to the client browser or stored in a "… 
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php&mysqlcross solution 



PHP&MySQLcross Solution 
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12 syndfccition and Web services 



This is amazing. Instead of 
having to travel around asking 
people whafs going on, we can get 
news delivered to us... brilliant! 


Indeed. Technology 
brings the world to our 
ink-smudged fingertips! 




It’s a big world out there, and one that your web application 

Can’t afford to ignore. Perhaps more importantly, you’d rather the world 
not ignore your web application. One excellent way to tune the world in to your web 
application is to make its data available for syndication, which means users can subscribe 
to your site’s content instead of having to visit your web site directly to find new info. Not 
only that, your application can interface to other applications through web services and 
take advantage of other people’s data to provide a richer experience. 
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spreading the word beyond owen's web site 


Owen needs to get the word out about Fang 

One of the big problems facing any web site is keeping people coming back. 
It’s one thing to snare a visitor, but quite another to get them to come back 
again. Even sites with the most engaging content can fall off a person’s radar 
simply because it’s hard to remember to go visit a web site regularly. Knowing 
this, Owen wants to offer an alternative means of viewing alien abduction 
reports — he wants to “push” the reports to people, as opposed to them having 
to visit his site on a regular basis. 
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irvfoVw'd 七 io 於 ii3sir\ *b led 
{jo Fa^^s lodatior\. 


Abducted Mr 


: AJbdurHnri J 


1 二= 二 化 


cxiiiPffijKgmiisi Were 卿 uWuckkS? 


skji my iJNutwd d 略 Far^7 


TV^c Rc\>ov-t h\)duhov\ 
-poV'W' is y/ov*kur\^ ^vc3"b) 
but 0^ -tKmks i\\t s»*tc 
heeds W\OV*C C^fOSUVC- 


AbduciKlfDr; A tan dcscripLwn； 

Ounu r UEic tad 

2DCS-0K-11 i JfonK 

AbdiKiri for: Alien deatripttan，. 

I dflV VfidiiLi tcr.w}M 

-00U-*07-I2 j Afif Nader 
Abductri fer: A&ti dcvripilt,,,： 

It wjii j Jh* rwa.mcj.iriab^ ^iay diic ^uJl a f wh*i ¥m 

1991-0944 : Don Qu^U ' append ip^ mulrtcd 如 uninLrfficbk. 

Atmiictri for: Alien (Jfstrt'paoni \ 

'^!? 0n，3S llW >' *«咖咖 ^onsxyi 腹 fc (HJI OJ ilKHlWlUlSflQlcIcina^ lH fh 冲 * 0 讲 _1 : 

1W9-01-21 £ Hfcfe NlKfln 灿 MQic lanJof jK pactu anacted » 

A Jnrr Alin d<acn_piim: 

4 ycura They woe p*iy timj piuxlcring, usd ntC vpiy fen^ivin^. Fail £ "pottad! 


裊叫 sikicW: 

Jit? 

卿御 md: 

yet 

Faaj ； 


HI9 


Si^c you last saw 0^cv\, 
he’s dveated a r^aih 
*Po\r viewih^ usc\r—subr^rt-ted 
dliCh abdu^tioh \rcpov-ts. 


0v/cr> \\oyts *tKa*t mo\rc c%fosu\rc (or i\\t 
si-tc Will *mdv-casc K*is odds o-f Par^. 
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syndication and web services 


Push alien abduction data to the people 

By pushing alien abduction content to users, Owen effectively creates 
a virtual team of people who can help him monitor abduction reports. 
With more people on the case, the odds of identifying more Fang 
sightings and hopefully homing in on Fang’s location increase. 


Some email clients support M push w content, 
allowing you to receive web site updates 
the same way you receive email messages. 





Puskingf wet 
content to users is 
a great way to kelp 
gain more exposure 
lor a wet site. 


Many regular web 
browsers also let you 
browse M push w content 
that quickly reveals 
the latest news posted 
to a web site. 


Even mobile devices provide 
access to M push w content 
that is automatically 
delivered when something 
on a web site changes. 


vi ^ual team ali Ch 
dbdu^ioh viewer 

will hopefully the 

O-P him -fihdihg Fa h g. 


sure \\ o^i *to 
fcoy\*tcirrt *to users bu*t 
\)t v-cally likes -tVic >dca. 
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use RSS to syndicate your site 


RSS pushes web cowtcwt to the people 


The idea behind posting HTML content to the Web is that it will be viewed by 
people who visit a web site. But what if we want users to receive our web content 
without having to ask for it? This is possible with RSS, a data format that allows 
users to find out about web content without actually having to visit a site. 


RSS is kinda like the web equivalent of a digital video recorder 
(DVR) . DVRs allow you to 4 ‘subscribe’’ to certain television shows, automatically 
recording every episode as it airs. Why flip channels looking for your favorite 
show when you can just let the shows come to you by virtue of the DVR? While 
RSS doesn’t actually record anything, it is similar to a DVR in that it brings web 
content to you instead of you having to go in search of it. 


HTML is 

lor viewing ； 

RSS is lor 

syncticatingt 


By creating an RSS feed for his alien abduction data, Owen wants to notify 
users when new reports are posted. This will help ensure that people stay 
interested, resulting in more people combing through the data. The cool thing is 
that the same database can drive both the web page and the RSS feed. 


J\ rtcy/svcadicv- alloy/s you 
{jo substvibc *to 

\n\\'\CM 匕 o 灼 tarn items 



av-c devived -fv-orn y/cb 
s'i*tc 七 


Alkiv ， AhdBMed Mr 

Wc 4 ,M 3> 1 tof W 珍 , 


1 ¥tEa| 








r: JtMm dt 


Akidwii ru 

dim i '■ n^ray 

.3^-05-11 : 

jhbdiuwfl hr ： JtMm 

I pBEi^ fc: h sto 


pi* ，: 

— 

dwrVuc> 




EH 

I bm 




Iv ： 

r^c^-l ^ank the? -m p^T pt-iTOE 




"though -the web pay is 

dyhami^ally gchc\ratcd -Pv-o^ 
database dais, you have -to v-evisi-t it 
to see i-P hew dais has bcch posted. 



怍 Mi fi^il«ch<| 




「l»f Inalud y u danli^. nu* 

' ^ vtri . PMr , rwl pH1lhrMua ^ 


Wert, y^cy/sv-cadcv- 

Wilt m-bo Safari v/cb 

Wov/scv- »s kem^ used- 


RSS offers a view on web data that is delivered to users automatically as new 
content is made available. An RSS view on a particular set of data is called an 
RSS feed, or newsfeed. Users subscribe to the feed and receive new content 
as it is posted to the web site — no need to visit the site and keep tabs. 

To view an RSS feed, all a person needs is an RSS newsreader. Most popular 
web browsers and email clients can subscribe to RSS feeds. You just provide the 
newsreader with the URL of the feed, and it does all the rest. 
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syndication and web services 


RSS is really XML 


RSS is like HTML in that it is a plain text markup language that 
uses tags and attributes to describe content. RSS is based on XML, 
which is a general markup language that can be used to describe 
any kind of data. XML’s power comes from its flexibility — it doesn’t 
define any specific tags or attributes; it just sets the rules for how tags 
and attributes are created and used. It’s up to specific languages such 
as HTML and RSS to establish the details regarding what tags and 
attributes can be used, and how. 

In order to be proficient with RSS, you must first understand the 
ground rules of XML. These rules apply to all XML-based languages, 
including RSS and the modern version of HTML known as XHTML. 
These rules are simple but important — your XML (RSS) code won’t 
work if you violate them! Here goes: 


^ Tags 


that 


contain content must appear as matching pairs. 


RSS is a markup 
language used to 
ctescrite wet content 
lor syndication. 


\yyto>TYtti\ TWs h 。 
Chd-iag. 


<p>Phonc home! 



<p>Phone home!</p> 


spade dr>d s -fov>wav*di slasK bc-fovc >• 


/ Empty tags that have no content must be coded with a space 
and a forward slash at the end before the closing brace. 





ok-\rc^i. 


<br / > 


Covv-cC-t 


The attiribute 州 ust 

be (hdjosed ih double 'u 。 七 es. 


^All attribute values must be enclosed in double quotes 


"""^5-L U^dlitili . y i £ ― t 


<img src= !f alien. gif ff /> 


XML is a markup 
language used to 
ctescrite any kind 
ol data* 


Unlike PttP, allows you 
*to use double ov s'm^lc quotes 
moS*t s'i*t'A3"t»or\S ) )(/V1L is 
r\yd m or\ly allow’” double 
^o*tcs -fov- values. 
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no dumb questions about rss 



Dumb Quest! 


ons 


Why is RSS so much better than someone just coming to 
my web site? 


A 


If people regularly visited your web site to seek out the latest 
content, then RSS wouldn't be any better than simply displaying 
content on your web site. But most people forget about web sites, 
even ones they like. So RSS provides an effective means of taking 
your web content directly to people, as opposed to requiring them to 
seek it out. 


What does RSS stand for? 


A- 

Jr \* Nowadays RSS stands for Really Simple Syndication. 
Throughout its storied history there have been several different 
versions, but the latest incarnation of RSS (version 2.0) stands for 
Really Simple Syndication, which is all you need to worry about. 

% 

A. 

Jr \* RSS is a data format. So just as HTML is a data format that 
allows you to describe web content for viewing in a web browser, 
RSS is a data format that describes web content that is accessible 
as a news feed. Similar to HTML, the RSS data format is pure text, 
and consists of tags and attributes that are used to describe the 
content in a newsfeed. 


So what does RSS consist of? 


Where do I get an RSS reader? 

Most web browsers have a built-in RSS reader. Some email 
clients even include RSS readers, in which case RSS news items 
appear as email messages in a special news feed folder. There are 
also stand-alone RSS readers available. 
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syndication and web services 




Below is RSS code for an Aliens Abducted Me news feed. Annotate the highlighted code to 
explain what you think each tag is doing. 


<?xml version^"1.0" encoding= M utf-8"?> 

<rss version="2.0 M > 

<channel> 

<title>Aliens Abducted Me - Newsfeed</title> 

<link>http :// aliensabductedme.com/</link> 

<description>Alien abduction reports from around the world courtesy of Owen and his 
abducted dog Fang• 〈 /description 〉 

<language>en-us</language> 


<item> 

<title>Belita Chevy - Clumsy little buggers , had no rh...</title> 
<link>http :// www.aliensabductedme.com/index.php?abduction_id=7</link> 
<pubDate>Sat, 21 Jun 2008 00:00:00 EST</pubDate> 

<description>Tried to get me to play bad music• 〈 /description 〉 

</item> 

<item> 

<title>Sally Jones - green with six tentacles...</title> 

<link>http :// www.aliensabductedme.com/index.php?abduction_id=8</link> 
<pubDate>Sun, 11 May 2008 00:00:00 EST</pubDate> 

<description>We just talked and played with a dog</description> 

</item> 


</channel 〉 
</rss> 
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annotated rss code 



ExeRciSe 

§oLytiOH 


Below is RSS code for an Aliens Abducted Me news feed. Annotate the highlighted code to 
explain what you think each tag is doing. 

This CoAt ish ^ a ^ ^ 

严 that idj 心： 

do^umcht as ^oh-taihihg X^IL 匕 ode. 

<?xml version="1.0" encoding= M utf-8"?> 

This <tiilc> taj applies -to 

/ "the 匕 ds a whole. 



<rss version= M 2.0"> 


<channel> 


X 


<title>Aliens Abducted Me - Newsfeed</title> 
<link>http :// aliensabductedme.com/</link> 


I'mk (or a dl^awcl usually 
pom*ts *to v/cb si*tc 
dsso^id*ked W\{}\ r^cv/s-fccd- 


<description>Alien abduction reports from around the world courtesy of Owen and his 

abducted dog Fang• 〈 /description 〉 ^- 、 ^vcv*Y v\ccds d 

<language>en-us</language> 


<item> 


Wcws-fccds dah be dv-catcd ih 
di-PWh-t languages - this -bg 
establishes the language <^P a dhahhel 


dcsc.v-'»p*tioy\ *bo 4a 七 

k'md Jc Y\t^is I*t oWcv-s. 


<title>Belita Chevy - Clumsy little buggers, had no rh...</title> 
<link>http :// www.aliensabductedme.com/index.php?abduction_id=7</link> 
<pubDate>Sat, 21 Jun 2008 00:00:00 EST</pubDate> 

<description>Tried to get me to play bad music• 〈 /description 〉 

丁 ^ namC ^ alien abd^tcc a^d 
alia dcst\r*i\>tio^ data a^rc dombmed -to 
sevve as tV^c title ca^ 咖 s 心州. 

<item> 



<title>Sally Jones - green with six tentacles...</title> 

<link>http :// www.aliensabductedme.com/index.php?abduction_id=8</link> 
<pubDate>Sun f 11 May 2008 00:00:00 EST</pubDate> 

<description>We just talked and played/with a dog</description> 

</item> 


TV’s RSS only doivtdms a 

siir^le dha^cl, ^jW\cM is pcv-Pcd-tly -fmc 
i*f you Aoy!{, i\ttd b> bv*edk up ^ews 
iiems m-to daicjov-ics. 


</channel 〉 tvevy )<ML «^ust V^avc a 
</rss> _ / stav 七 - *ta 》 —a” 


TV date spe^i-fied m 
<pubPatc> adiicvcs -to 
七 RFC-^2-1 date/tiw'C 

is d s*t3^d3V"ci 
-fov vcpv-cscy\*t»^5 3 dc*ba»lcd 
date a^di time as *be 乂七 . 


The lihk -PoV dh 
ihdividudl hews rtcru 
typically poih-ts -fco 
"the -full doh'tch't -Pov* 
"the itcrw oh the web 
site associated with 
the hcws-Pccd- 


七 V\is Chd-ta^ doses i\\t 
RSS do^umCr\*t- 
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OK, so RSS is really XML, which means 
ifs just a bunch of tags. That seems easy 
enough. So all we have to do to create a 
newsfeed is just create an XML file, right? 


Yes, sort of. But you don’t typically create XML code 
by hand, and it often doesn’t get stored in files. 

It’s true that XML can and often does get stored in files. But with RSS 
we’re talking about dynamic data that is constantly changing, so it doesn’t 
make sense to store it in files — it would quickly get outdated and we’d 
have to continually rewrite the file. Instead, we want XML code that is 
generated on-the-fly from a database, which is how the HTML version 
of the main Aliens Abducted Me page already works. So we want to use 
PHP to dynamically generate RSS (XML) code and return it directly to 
an RSS newsreader upon request. 
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rss newsreaders explained 


From database to newsreader 


In order to provide a newsfeed for alien abduction data, Owen needs to 
dynamically generate RSS code from his MySQL database. This RSS code 
forms a complete RSS document that is ready for consumption by RSS 
newsreaders. So PHP is used to format raw alien abduction data into the 
RSS format, which is then capable of being processed by newsreaders and 
made available to users. The really cool part of this process is that once the 
newsfeed is made available in RSS form, everything else is automatic — it’s up to 
newsreaders to show updated news items as they appear. 


aliens 一 abduction 


An RSS newsreacter 
is designed to 
consume tke data 
made availatle ty 
an RSS newsieect. 


abductionjd 

first_name 

last.name 

when_it_hoppened 

1 

~~Alf 

Nader 

200-07-12 

2 

Don 

Quayle 

1991-09-14 

3 

Rick 

Nixon 

1969-01-21 

4 

Belita 

Chevy 

2008-06-21 

5 

Sally 

Jones 

2008-05-11 


The newsreader 
knows how 
to interpret 
individual news 
items in XML 
code and show 
them to the user. 


科 


howjong 

one week 


37 

seconds 


nearly 4 
years 


almost a 
week 


how 一 many 

at least 12 


dunno 


just one 


alien,descrip*ion 

It was a big non- 
recyclable shiny 
disc full of... 

They looked like 
donkeys made 
out of metal... 

They were pasty 
and pandering, 
and not very... 


Clumsy little 
buggers, had no 
rhyth 


what 一 they 一 did 

Swooped 
down from the 
sky and... 

I was sitting 
there eating c 
baked... 

Impeached 
me, of course, 
then they 
probed... 

Tried to get me 
to play bad 
music. 


PHP is used 
to generate an 
RSS newsfeed 
document from a 
MySQL database. 


<?xml version= n l. 0" encoding= n utf- 8 n 
<rss version= n 2 • 0”> 

<channel> 

〈 title〉Aliens Abducted Me - Newsfeed</title> 

<lxnk>http://aliensabductedme.com/</link> 

fr ° m ar ° Und the courtesy of Owen and hxs 

<language>en-us</language 〉 

^item> — 

Chevy _ Clums y Xittl e buggers, had no rh. • .</title> \ 

4item> 1Ptl ° n>Tried t0 gSt ^ t0 Play bad music . "Ascription 〉 


. — •" —一 
^ |jL|| M H||| • 一 




m 




I B .* P. | r ■ 




ihdividudl hews 
•terh has i-fcs ov/h 
sc^tioh ih the RSS 
hCWS-Pccd do^urhCht. 


irtcy/sv-cadcv' fV-CSCir\*U 

灼 cws items'm i*U ovm 

unique way - V^cvc 
items av-C shoym m mu 仏 
七 same y/aY as email 

messages. 


i_in 






n ■ 罅 ■ ^ 

r«hdii r m- 


TWis y\cv/sv-cadcv- is built 
*m*to tVic standard 

m MBC OS }(• 
o*t^cv popular era'll 
ap^ri£.3*tioir\S also mdludc 
Wil 七一 m ncwsv-cadcv-s. 
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syndication and web services 



+ + 

- WM 办 T ， - 

Creating RSS feeds is all about understanding the RSS language, 
which means getting to know the tags that are used to describe news 
items. Match each RSS tag to its description. 

<rss> 

This tag has nothing to do with RSS. But it sure sounds like a 
cool name for a piece of news data! 

<c}icmnel> 

The publication date is an important piece of information for 
any news item, and this tag is used to specify it. 

<cronk!te> 

This tag represents a single channel in an RSS feed, and acts as 
a container for descriptive data and individual news items. 


Represents an individual news item, or story, which is further 
described by child elements. 

〈 language 〉 

This tag always contains a URL that serves as the link for a 
channel or news item. 

<llnk> 

Encloses an entire RSS feed all other tags must appear inside 
of this tag. 

<descrlpti9n> 

This tag stores the title of a channel or news item, and is 
typically used within the 〈 channel〉and <item> tags. 

<pubDctte> 

Used to provide a brief description of a channel or news item, 
appearing within either the 〈 channel〉and <item> tags. 

<rtem> 

This tag applies to a channel, and specifies the language used 
by the channel, such as en-us (U.S. English). 
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who does what solution 


♦ 






• 务 ▼ 你 m 


^ vcy .y 尺 ££ ^ ec( j[ Creating RSS feeds is all about understanding the RSS language, 

dor\sis*U o( 3 *b which means getting to know the tags that are used to describe news 

leas 七 or\t dV^a^cl, items. Match each RSS tag to its description. 

「 \n\\\cM is basidally a w , r Dcc 

o<f vcla-tcd TKc <v-ss> ia^ is i\)t root 

dodumcr>*t - all o-thcv iay must appcav msidc ok it 


youf 
r\C>ws i*tcms. 


<rss> 



<c}icinnel 


<cronk!te> 


<llnk 


<fteni> 



<txtle> 

This -tag is ohly 
used m t\\^y\t\t\s^ 

〈language 


<descrlpti9n> 

JKis -ta^ or^ly applies 
•fco r\CY/s i*tcrws. 

<pubDctte 


This tag has nothing to do with RSS. But it sure sounds like a 
cool name for a piece of news data! 

The publication date is an important piece of information for 
any news item, and this tag is used to specify it. 


This tag represents a single channel in an RSS feed, and acts as 
a container for descriptive data and individual news items. 


Represents an individual news item, or story, which is further 
described by child elements. 


This tag always contains a URL that serves as the link for a 
channel or news item. 


Encloses an entire RSS feed — all other tags must appear inside 
of this tag. 


This tag stores the title of a channel or news item, and is 
typically used within the <channel〉and <item> tags. 


Used to provide a brief description of a channel or news item, 
appearing within either the 〈 channel〉and <item> tags. 




This tag applies to a channel, and specifies the language used 
by the channel, such as en-us (U.S. English). 

The <l*mk>, <pubDatc>, av\d 

<dcsd\ripiioh> -tags avc used withm 
<i-tcrw> -to dcsd\ribc d news iicrw. 
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syndication and web services 


KSS 


Visualizing 

You already learned that XML 


tlready learned that XML code consists of tags, which are also sometimes 
referred to as elements, that form parent-child relationships within the 
context of a complete XML document. It is very helpful to be able to visualize 
this parent-child relationship as you work with XML code. As an example, the 
RSS document on the facing page can be visualized as a hierarchy of elements 
kind of like a family tree for newsfeed data, with parent elements at the top 
fanning out to child elements as you work your way down. 


The -title, Imk, dcstvipiioh, and 
language clcmchts -Pov- a 
a PP«air alongside the hews items as 
^hild\TCh o-p the dcrwCht- 





link i description language 



■fcofW'OS't dcw\Cir\*t I s 
yooi dotumc^-t, 

y^\cM mcay\s »*t »s i\\t 

all o*t^cv- elemerrb. 


丁 he title, lihk, 

pubDatc, av\d 
dcs^v*ip"tioh clcmcivts 
^ a 9 'vch hews 
appcair as ^hild^h of 
"the dcruCh't. 


item 



title I, link i pubDate | description 11 title 


iilink I 

" _* 


pubDate i description 



ExettciSe 


Below is a brand-new alien abduction report that has been added to the aliens—abduction 
database. Write the XML code for an RSS <item> tag for this abduction report, making sure to 
adhere to the RSS format for newsfeeds. 


aliens abduction 
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exercise solution 



Below is a brand-new alien abduction report that has been added to the aliens_abduction 
database. Write the XML code for an RSS <item> tag for this abduction report, making sure to 
adhere to the RSS format for newsfeeds. 


aliens abduction 





The <itcm> -tag 
Ch^loses the hews i-terw. 



nc <pubpatc>, 

<dcst\r*iptioir\> Sfcll ou-t 
details o-f rtcy/s rtern. 


<ti-t!c>Shill lVa*tr\cy" - .Tlw.light *m the sky ； </titles 
<lmk>lvt*tp://y/y/y/.alic^sabdlud*tcdlrwcdom/*mdc^piip?abdud*tioir\^Jdl =1 l^"</rmk> 

. 巧 .vM . 7 ： QQ 9 .QQ' ： QQ ： QQ. 777 

teamed me *b>y/a\rd a jas .</dcsdriptio^> 


The <pubDaic> iag 

啪 us 七 be m rwi^cd ddse 

wiih the capital D, so i 七 

be <pubdatc> olr 

<pubpate>. 



Is XML case-sensitive? 

^V* Yes, the XML language is case-sensitive, so it matters whether 
text is uppercase or lowercase when specifying XML tags and 
attributes. A good example is the RSS <pubDate> tag, which 
must appear in mixed case with the capital D. Most XML tags are 
either all lowercase or mixed-case. 


Can an RSS feed contain images? 

^V* Yes. Just keep in mind that not every news reader is able 
to display images. Also, in RSS 2.0 you can only add an image 
to a channel, not individual news items. You add an image to a 
channel using the 〈 image 〉 tag, which must appear inside the 
<channel> tag. Here's an example: 


What about whitespace? How does it fit into XML? 

^V: First of all, whitespace in XML consists of carriage returns 
(\r), newlines (\n), tabs (\t), and spaces (▼ '). The majority 

of whitespace in most XML documents is purely for aesthetic 
formatting purposes, such as indenting child tags. This “insignificant” 
whitespace is typically ignored by applications that process XML 
data, such as RSS news readers. However, whitespace that appears 
inside of a tag is considered “significant,” and is usually rendered 
exactly as it appears. This is what allows things like poems that have 
meaningful spacing to be accurately represented in XML. 


<image> 

<url>http : // www .aliensabductedme.com/fang.jpg</url> 
<title>My dog Fang</title> 

<link>http :// www.aliensabductedme.com</link> 
</image> 

It is technically possible to include an image in a news item in RSS 
2.0; the trick is to use the HTML <img> tag within the description 
of the item. While this is possible, it requires you to encode the 
HTML tag using XML entities, and in many ways, it goes against the 
premise of an RSS item being pure text content. 
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ESS Ecvcalci 

This week’s interview: 

What makes a newsman tick 


Head First： So I hear that when people are looking for 
news on the Web, they turn to you. Is that true? 

RSS: I suppose it depends on what you consider “news.” 
I’m mainly about packaging up information into a format 
that is readily accessible to newsreaders. Now whether 
that content is really news or not... that’s something I can’t 
control. That’s for people to decide. 

Head First： Ah, so by “newsreaders,” you mean 
individual people, right? 

RSS: No, I mean software tools that understand what 
I am and how I represent data. For example, a lot of 
email programs support me, which means that you can 
subscribe to a newsfeed and receive updates almost like 
receiving email messages. 

Head First： Interesting. So then how are you different 
than email? 

RSS: Oh, I’m a lot different than email. For one thing, 
email messages are sent from one person to another, and 
are usually part of a two-way dialog. So you can respond 
to an email message, get a response back, etc. I only 
communicate one way, from a web site to an individual. 

Head First： How does that make it a one-way 
communication? 

RSS: Well, when a person elects to receive a newsfeed 
by subscribing to it in their newsreader software, they’re 
basically saying they want to know about new content that 
is posted on a given web site. When new content actually 
gets posted, I make sure it gets represented in such a way 
that the news reader software knows about it and shows 
it to the person. But they aren’t given an opportunity 
to reply to a news item, which is why it’s a one-way 
communication from a web site to an individual. 

Head First： I see. So what are you exactly? 

RSS: I m really just a data format, an agreed-upon 
way to store content so that it can be recognized and 
consumed by news readers. Use me to store data, and 
newsreaders will be able to access it as a newsfeed. 


Head First： OK, so how are you different than HTML? 

RSS: Well, we’re both text data formats that are 
ultimately based on XML, which means we both use tags 
and attributes in describing data. But whereas HTML is 
designed specifically to be processed and rendered by web 
browsers, I’m designed to be processed and rendered by 
newsreaders. You could say that we provide different views 
on the same data. 

Head First: But I Ve seen where some web browsers can 
display newsfeeds. How does that work? 

RSS: Good question. As it turns out, some web browsers 
include built-in newsreaders, so they are really two tools 
in one. But when you view a newsfeed in a web browser, 
you’re looking at something completely different than an 
HTML web page. 

Head First： But most newsfeeds link to HTML web 
pages, correct? 

RSS： That’s right. So I work hand in hand with HTML 
to provide better access to web content. The idea is that 
you use me to learn about new content without having 
to go visit a web site directly. Then if you see something 
you want to find out more about, you click through to the 
actual page. That’s why each news item has a link. 

Head First： So you’re sort of a preview for web pages. 

RSS： Yeah, kin da like that. But remember that I come 
to you, you don’t have to come to me. That’s what people 
really like about me — I keep them from having to revisit 
web sites to keep tabs on new content. 

Head First： I see. That is indeed convenient. Thanks for 
clarifying your role on the Web. 

RSS: Hey, glad to do it. Stay classy. 
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generate rss with php 


dynamically generate m RSS feed 


Understanding the RSS data format is all fine and good, but Owen still needs 
a newsfeed to take alien abduction reports to the people. It’s time to break 
out PHP and dynamically generate a newsfeed full of alien abduction data 
that has been plucked from Owen’s MySQL database. Fortunately, this can be 
accomplished by following a series of steps: 


The resulting newsfeed 
isn’t stored in a file but 
it is an XML document. 


<?php header('Content-Type : text/xml'); ?> 


o Set the content type of the document to XML. 

^ have io sci ih c 
乙 ohteht type of 

七 he do 乙七 

"to )(ML by usih^ 

^ Q Generate the XML directive to indicate that this is an XML document 

<?php echo '<?xml version= M 1.0 M encoding= M utf-8 M ?>'; ?> 

❺ Generate the static RSS code that doesn't come from the database, 
such as the <rss> tag and the channel information. 



<rss version= M 2.0 M > 
<channel> y 

〈 title 〉 

<link>... 
〈 description〉.•• 
<language>... 


Ths codt 七 abetted by 
' i\\t database - iVs always 
七 same -fo\r 七 Wis r\cv/s-fccd. 


o 



Query the aliens—abduction database for alien abduction data. 

abduction—id 

first name 

when 一 it—happened alien—description 

what 一 they did 


last name 



3 c-fov-c 

RSS toAt (or v\cv/s 
l-tcmS, V/C mus*t <\u€Vy 
-tKc /1/IyS^L database 
-fov alier> abduttior^ data* 

Loop through the data generating RSS code for each news item. 


<item> 

<title>... 

<link>... 
<pubDate>... 
〈 description〉..• 
</item> 


This todt doh-ta'ms daia evaded 
-Pirom ihe database, av\d thcv-cW 
be dav-c-Pully gchcv*atcd. 


o Generate the static RSS code required to finish up the document, 
including closing </channel> and </rss> tags. 


</channel 〉 
</rss> 
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</channel> 



〈 language 〉 
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& XML! 

PHP& MySQL^lagnets 


Owen's Aliens Abducted Me RSS newsfeed script (newsfeed. php) is missing some important code. 
Carefully choose the appropriate magnets to finish the code and dynamically generate the newsfeed. 


<rss version="2.0"> 



<title>Aliens Abducted Me - Newsfeed</title> 

http://aliensabductedme.com/ 

^sc^P^on>M 1 en abduct.on reports fro, a _n d the ㈣ 仙 
and his abducted dog Fang • 〈/description 






newsfeeAphp 


en-us 


<?php ,, 、 . 

require— once ( 丨 connectvars.php ), 

DB - U 娜' DB - PASSW ° RD ^ 


DB NAME )； 


6 


/ / RPtrieve the alien sighting data from MySQL „ 

$query = n SELECT abduction—id, ^%y S %t"'TA s'when it happened—rfc, 
••DATE FORMAT (when_it_happened, ^a^ od oY ; 一一 

"alien description, what_they_di 
"FROM Aliens 一 abduction n • 

"ORDER BY when— it 一 happened., 

$data = mysqli—query($dbc A $query); 

//Loop through the array of 山卽 ^ 七 1 叫姐 a , formatt.ng xt as RSS 

while ($row = mysqli_fetch array($data)) { 

// Display each row as an RSS item 


echo 


o 




$row[' 
echo ' 


'].'</link>'; 

,. • $ r 0 w[ ， when— it—happened—rfc’]. ’ 

.'^description^ . $ row[>what_they_did-] . -</description> 


• dateCT') 


echo 
echo '</item> 



> 

9 . 









































php & mysql & xml magnets solution 

& XML! 

PHP & MySQtNMagnets Solution 


Owen’s Aliens Abducted Me RSS newsfeed script (newsfeed. php) is missing some important code. 
Carefully choose the appropriate magnets to finish the code and dynamically generate the newsfeed. 



<^php header('Content-Type : text/xml ^)； ? > 

<?php echo - <?xml version=-1.0" encodxng^ utf-8 •> 

<rss version= M 2.0 M > 


|^^channel^J 

<title>Aliens Abducted Me - Newsfeed</title> 


?> Sirwilav -fco "the y/c used C3v-|icv 

m "the CAPTCHA bo output 

a PN 今 -this headev- causes -the 

sdiript -to ouifut By\ 



0 


<link> 




newsfeed.php 


the w ° rld c ° urtesy ° f ° wen 


<language> 


en-us 


</language 〉 


6 


<?php ,, 、 . 

require—once('connectvars.php ), 

麵， DB—USER, DB_PASSWORD, DB—NAME); 

/ / RPtrieve the alien sighting data from MySQL 

$query = ” SELECT abduction—id, fif^name^ AS ^ whe ' n it happened—rfc, 

••DATE FORMAT ( 油 en—it—happened, 。01 oY ; 一一 

"alien description, what_they_ai 
n FROM Aliens 一 abduct ion n •_ 


'ORDER BY when— it 一 happened 


DESC 


$data = mysqli_query($dbc, $query); 

//Loop through the array of 山卽^七丄叫 formatt.ngas RSS 

while ($row = mysqli_fetch array($data)) { 

// Display each row as an RSS item 


<item> 


0 


echo ' 



abduction 一 id 
<pubDate> 


].'</link>'; 

^$row[ 'when—it— happened— rfc 1 ]• 


.dateCT') 


• I </pubDate> 


echo • <de^cr iP t^ • ^owrwha^^d.dM . ' </descr 1 pt 1 on> 
echo , </item> , ; 


?> 


</channel> 


first name 


last name 


</channel> 

— 


i 

叫 


<rss> 


</item> 
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Tesr DriVq 


Add the RSS Newsfeed script to Aliens Abducted Me. 


Create a new text file named newsfeed. php, and enter the code for Owen’s RSS 
Newsfeed script from the Magnets exercise a few pages back (or download the script from 
the Head First Labs site at www. headfirst labs • com/boo ks/hfphp). 

Upload the script to your web server, and then open it in a newsreader. Most web browsers 
and some email clients allow you to view newsfeeds, so you can try those first if you don’t 
have a stand-alone newsreader application. The Newsfeed script should display the latest 
alien abductions pulled straight from the Aliens Abducted Me database. 




Alairti AJxfcjtilcd Mb - Mwnhwd 


Aliens Abducted Mb - Newsfeed 


Mein hold FIDTifi«r - Thay ttorw i^i ■，hlp tbu nil* of 


BHr<h 


a 




!□£. n?jd! 


Arilc li LK^Chc 


MihttnA ^ h**di*. thlftny 

BflHl WCK 1 山 

Shill WvtMr ■' Thvrv w-il ■ brl|ii ! i llfhl Id tha ... 
Db-IIi-i Clvflvif - C4ymi-v Itttl* huflii*r_ r h»di na 

fii#^ ha pvl ml la pl«y Su^ nup<. 

Silly Jorti* ■ gfAd*n iwllh SiK tBiHliiCl*!-.- 

物 脚 pilrrfKl Ml % 戽辨 B&A3 


■ 0 ! 


a II m blj _hin s -, 


■ i r 


4 U 13 


RAKTffl 

抑 u 


FNnnMchis 

Al 

YHflfl^iry 
|.Ul (I 

TlMhhiW 
LAH hto«r 


IM 


The newsfeed looks 
great, but how do 
site visitors find out 
about it? 


Il«|f l<Kll 

n a bated 


h#d Ilk* dGPnh.«yi nt_d_ 

Hf^Ti B ^ta«l l ir a Pip &pin _ 炉 _ _ i 


Amis m. 


LipSlKIlNM 
5M^8f=rfcfl n Mul 


i€iy pivlv ■ nd pa n durlng- 

I, n^itwvs?rq»d nil … 



l*P youv* bvowsev- hois 
trouble viewing the 
^ews-feed, t\ry usmg 

-feed-// *m the URL 
instead c^f http://. 


The K>cws-Pccd php 
Wipt gchcv-a-tcs 
R££ hcws-feed 
do^umch-t -that e.av\ 
be viewed by a^y 
RSS hcwsv-cadcv-. 


O 

D 



Just provide a link to it from the home page. 

Don’t forget that newsfeed. php is nothing more than a PHP script. The 
only difference between it and most of the other PHP scripts you’ve seen 
throughout the book is that it generates an RSS document instead of an 
HTML document. But you still access it just as you would any other PHP 
script — just specify the name of the script in a URL. What Owen is missing 
is a way to share this URL with people who visit his site. This is accomplished 
with very little effort by providing a syndication link, which is just a link 
to the newsfeed. php script on Owen’s server. 
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providing an rss link 


Link to the RSS feed 


It’s important to provide a prominent link to the newsfeed for a web site because 
a lot of users will appreciate that you offer such a service. To help aid users in 
quickly finding an RSS feed for a given site, there is a standard icon you can use 
to visually call out the feed. We can use this icon to build a newsfeed link at the 
bottom of Owen’s home page (index . php). 


TVis \cov\ is available m all 
kmds siz^s 

-formats, ku*t 
look Bv\d o+ i*t is 



A standard RSS € 

icon is available to 
make it clear to 
users tkat you oiler 

an RSS newsleect. 


" 1 。 _ 0 彳 
⑽邮 I 

iQioljjJ 

rssicon.png 


:dov/hload a dollcdtioh 
o( RSS idohS ih di-P^cv-Cht 
dolo\rs 3hd -fo\rmats ; 

ou "t wy/y/.-Pccdidohs.dom. 


"Uc URL i\\t ” cv/sW »s jus 七仏 C 

^cv/s-fccd \>K\> v/WA v/ovks as 

as i\\t is scored m tKc same A*oldcv 

as -tKc mdm v/ck \>ay kclov/. 


<p> 

<a href= M newsfeed.php M > 

<img style= M vertical-align : top; border : none" 

"rssicon.png" alt= M Syndicate alien abductions" / > 


src ： 


Click to syndicate the abduction news feed. 
</a> 

</p> 


"The ffTTl/lL hcws-Pccd lihk 
•mdudes both av\ RSS idoh 
3 hd dcs^viptivc text. 


Ann 


W 竭 nt Wr 


Aliens Alsducied Me 


wtth amroaMU? W 辑 钟明 i W 邮 *«»4 


A plromihCh-t lihk oh the 
Alices Abducted 

Me page o^fc\rs visi-fcov-s 
a (\\A\tk way -to autss 
0^cv\s hcws-Pccd- 



h*w you tuJ it encm 
R«pbn tt bwfrJ 

MwC neceiil nported ■Huctionsc 

2 MS 餐 ID : M^irlialeL K&wr 
AlbdUdM BjT ； AHiMl. d««RipcJCin ： 

I tenn They 啤 _ 

2DDS>47-1B :! 、 3kkey 

AbdudM ^r: ABMI teertpdoni 

45 minute Hup: hcad^. skinn,^ anra and lep 

2(He-#T-4S : Shill WatBtr 
: BtlUa Chtvy 

AbdudMl.^ AtiHid««ripckin' 

Hjhmi _ C_*V 晌 l«| 妒 《 姻 bq stiplua. 

24HG>A5-lil - SnJIjf J 。 嶋 

AlbdudM Fur: Atk-n dMcripcibn: 

wtih Eli Kmiclfcii 

O Clkk to symlkaArClH ■bductiwi 
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Tqst DriVq 


Add the newsfeed link to the Aliens Abducted Me home page. 

Modify the index . php script for Aliens Abducted Me to display the newsfeed link 
near the bottom of the page. Also download the rssicon . png image as part of the 
code from this chapter from the Head First Labs site at www. headf irstlabs . com/ 
books/hfphp. 

Upload the index . php script and rssicon . php image to your web server, and then 
open the script in a web browser. Click the new link to view the RSS newsfeed. 



*to 

RSS, alicr\ 

abdu^*tioir\ \rcpov*b 

av-c *to 

substv-'ibcv-s wrtJiou 七 

*to 

visit 

Abdud-tcd !At v/cb 


作 rs fy 




HAJLKKfS 
. 一 viteu 
^ OsMb^a 
9 Mj Sfrt 
—■ hkah 


*■ WChMliLPiW 蕙 


CS 7 : wnrt*di 


Hfifrfiow n*is-<r m J sfup ttw ^ tdv 200* 

a，Cn N,KI>jri * 3 >«即 jnd tddu 

Mifk^f Uifce^i , m 呼 hfjdvurm jna jnh il 
hi ftKfwi _ Thp_ shit 具 brlghr F^He in |h# $, 2QC4 

fc，，ti _ <_ 抑料 ^ _ 

3>i%i»oci - omn wrlh 3 ac CirtKint _W*r ] : 咖 j 

㈣ i 2 r 

^Dctmofr* H. ]wi 


■ *r ^ _ 

， BWin wrrn wx EivhCkJc j... 

扎 , hSiij^r»ft wi M big n6n- iiyi* 

DfW r Th#V *«*M Ukt dOfiic«^*i … 


Kj^ 


Ma-i- Jam 




i«Av 

& w m 
]wam 
J (B AM 


qtsrrhiCiflm 


ICffi JW 

imam 

1 OP w 


Allens Abducts Me - 

RMrmr- my w 


I wonder if thats the 
same dog I saw on that 
YouTube video... 




MAit jwrrw 


C\\\ot, dv> avid f[\\tv\s Abdudtcd Me 
y>ows-fccd veadev-, 七 Wmks she 

have see 朽 Pa% m a V^^Tubc video. 


I haven’t seen Fang, but 
these reports are amazing. 


With all these 
abductions going on, 
Tm always on the 
lookout for aliens. 
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add youtube content to owen's site 


A fioiWG is worth a tfroul'ank words 


After a newsfeed subscriber alerted Owen to a YouTube video with a dog in it 
that resembles Fang, Owen realized that he’s going to have to use additional 
technology to expand his search for Fang. But how? If Owen could incorporate 
YouTube videos into Aliens Abducted Me, his users could all be on the lookout 
for Fang. Not only that, but he really needs to come up with a way to avoid 
constantly doing manual video searches on YouTube. 



^Id -this 


Oy/cr\ thihks 
video may hold 
"the -Pihal dhswcv~ 
"to -Pihdihg 
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Although YouTube holds a 1 。七 o*f 
pvomisc -fo\r hdpmj *m his 'ues*t 

"to -f'md he du\rvc^-tly has -feo do 

扣 aw-ful lo-t o( md 灼 udl video 


YouTube is an amazing tool for 
gathering alien abduction evidence 
in my search for Fang... but ifs a 
drag having to painstakingly search 
for new alien abduction videos. 


Vaur^plf 




fQUTU&P 






QucPLipiWl 




□UnsaiHucffiUrT* 






C©mmuflirt，¥ 


Qh>inntlH 




Ham# 


drisr Vcwrij^r 


M 


ky * 


Vkirai 


dbducEion dasl 




Pug Abducted By UFOl 


Eiltel Tewefl 


Near 


UFO spotteo 
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© 

o 


^^Try this! 


Visit Owens YouTube videos at www.youtube.com/user/aliensabductedme 


Watch a few of the alien abduction videos that Owen has found. 
Do you think the dog in the videos is Fang? 



Wouldnt it be dreamy if I could see 
videos directly on Aliens Abducted Me 
rather than having to search on YouTube? 
If only there was a way I could just go to a 
web page and have the search already done 
for me. But thafs nothing but a dream... 
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pulling content is different than pushing content 


Pullmq web cowtcwt from others 


The idea behind an RSS newsfeed is that it pushes your content to others 
so that they don’t have to constantly visit your web site for new content. This is 
a great way to make it more convenient for people to keep tabs on your site, as 
Owen has found out. But there’s another side to the web syndication coin, and 
it involves pulling content from another site to place on your site. So you 
become the consumer, and someone else acts as the content provider. In Owen’s 
case of showing YouTube videos on his site, YouTube becomes the provider. 


YouTube is the 
provider of videos. 


Aliens Abducted Me is 
the consumer of videos. 






Abduc-lrd Mr 


i^m\ 


lliens Abducted Me 

yqu tudjfi eJKOiMM wWi «™raejm*n? Wwtjuu iWuciedT Mn^youiuaim' 


Wtlcorae 

Ktpon it 


SJime m+ni n-fKuud Ahduciibuu 



2 娜观 _ 10 : 
Aliducuil far: 

3i»un 
290S-OT-I1 s 

/hbdluclJHl fun 
45 minute 

2908 ^ 07-45 : 

^lulucfiMl far! 

ioos^m- 21 : 

AlrdumKl fbr 

ilmaua wtcic 
2 (»g- 0 S-Mf 
ilbductcd fan 

1 di^r 


Mfirhalid. Kfcunrr 
AUhv dfur%icibn: 

nicy size otim moon. 

SiUcitcy MUlcas. 

A Sen dnedpdan: 

Hup heads-. Aiiuiy anm and 
Sk 3 UI Watatr 

Atitn dM£i^iiJfin2 

Th^r? wu 纛 llglii In cht slqy, 时 _ ttrt ： 併 xq 

EcEila Chcfif 

Aififrn dtMi^pikini 

Clumsy link- 
SaUji Jones 

A Sin dKTiQiEkini 
jpmrn wilh s« 


□ f! Ik4 hi iht JhbdiMtkin amdi fc#dl. 


Tiic dcsi^y> of Aliw Abdud*tcd Me 
home pay Will v\ttd b> dV>ar>^c sli^ivtly *to 
make voom -fov *tKc video sc3v-dii vesul*ts. 


It’s important to understand that Owen doesn’t just want to embed a specific 
YouTube video or a link to a video. That’s easy enough to accomplish by simply 
cutting and pasting HTML code from YouTube. He wants to actually perform 
a search on YouTube videos and display the results of that search. So Aliens 
Abducted Me needs to perform a real-time query on YouTube data, and then 
dynamically display the results. This allows Owen and his legion of helpful Fang 
searchers to keep up-to-the-minute tabs on alien abduction videos that have 
been posted to YouTube. 


Videos i\\ai av-c i\\t 
result a Vo^Tubc al'ic^ 

3 v*c 

v"C*tviV"r\cdi by YouTube ay\d 

-fed m*to 0>wCir\ S 
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Syndicating YouTube videos 


In order to source videos from YouTube, we must learn exactly how YouTube 
makes videos available for syndication. YouTube offers videos for syndication 
through a request/response communication process where you make a 
request for certain videos and then receive information about those videos in a 
response from YouTube’s servers. You are responsible for both issuing a request 
in the format expected by YouTube and handling the response, which includes 
sifting through response data to get at the specific video data you need (video 
title, thumbnail image, link, etc.). 

Following are the steps required to pull videos from YouTube and display them: 


Syncticatingf videos 
Irom YouTute 
involves issuing 
requests and 
kanctlingf responses> 


o 

❺ 

o 

o 


Build a request for YouTube videos. 
Issue the video request to YouTube 


、 TW»s 

七 he 


is 。 { 七 … 


v-ccuACs-t o 士 * te) 

o^* 3 WRL 


/ouTubc uses 
XML "to irespohd 
Vl deo vc^ucs-ts. 

J 

Receive YouTubes response data containing information about the videos. 


Process the response data and format it as HTML code. 


Client web 
browser 


"The b\rowscv- initially 
asks web scv-vcv- 


TKc -f 'mal pay 

七 is delivered -to *tKc 
bvov/sev - is fuve HTAIL-. 


The PliP sdvip-t pv-odcsscs 

the video data a^d v-ctuv-^s a 

(o^aiicd ttT/WL web page. 


YouTube 
web server 


The PttP Sdv-ift requests 

video dd*ka -Pv-om -the 




\y\ addition bo *tV>c MyS^L 

dd*kdbdse (or alie^ abdud*tio 灼 

-tKc PttP sdrift r>ov/ also pirodcsscs 
-tKc YouTube video vcsfoi^sc. 


\4u7ubc scv-vcv- 

dodurvtCh'b 
video data. 
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introducing REST requests 


Make a YouTube video request 

Pulling videos from YouTube and incorporating them into your own web pages 
begins with a request. YouTube expects videos to be queried through the use of 
a REST request, which is a custom URL that leads to specific resources, such 
as YouTube video data. You construct a URL identifying the videos you want, 
and then YouTube returns information about them via an XML document. 

The details of the URL for a YouTube request are determined by what videos 
you want to access. For example, you can request the favorite videos of a 
particular user. In Owen’s case, the best approach is probably to perform a 
keyword search on all YouTube videos. The URL required for each of these 
types of video REST requests varies slightly, but the base of the URL always 
starts like this: 


there J are no o 

Dumb Questi 9 ns 

What does REST stand for? 

REpresentational State Transfer. 
This is definitely one of those acronyms 
that sounds way fancier and more 
technical than it really is. The main idea 
behind REST is that web resources 
should be accessible through unique 
links, which means you should be able 
to access “RESTful” data simply by 
constructing a URL for it. In terms of 
YouTube, it means that you can perform 
video queries purely through a URL that 
contains the search criteria. 


http : //gdata.youtube.com/feeds/api/ 

TWis base URL is used -for 
all YouTube REST revests. 

Request videos by user 

Lg the favorite videos for a particular YouTube user involves adding The usev- a YouTube 

onto the base URL, and also providing the user’s name on YouTube. ^ • usev* pv-ovidcs access -fco "that 

usev^s -favovitc videos. 

http : / /gdata. youtube. com/feeds/api/users/userna/ne/favorites 


Requesting 


To request the favorite videos for the user elmerpriestley, use the following URL: r ocr-r 

The vcsulx ok tnis • 

http : / /gdata. youtube. com/feeds/api/users/elmerpriestley/favorites y-c^ucst -favov-i*tc 

videos -Pov- YouTube 

• • user cUcv-fv-'ics-tlcy. 

ijLS 1 Request videos with a keyword search 


A more powerful and often more useful YouTube video request is to carry out 
a keyword search that is independent of users. You can use more than one 
keyword as long as you separate them by forward slashes at the end of the URL. 

http://gdata. youtube . com/feeds/api/videos/-/A:ey^ordl/A:ey^ord2 / ... 

URL starts same as ^ Vo^i Uaci 

ky usev* but ncv^c you 

'Videos’’ ms*tcad U uscvs 


/Multiple keywov-ds tav\ be used 
•m a video by sepav-atih^ 

■them with -Po\rwa\fd slashes. 


use 


slashes aK>d the hyphen/ 


To request the favorite videos for the keywords “elvis” and “impersonator,” use Here tVic keyv/ords 

the following URL: 〆 - - - w e |v/ 孙 dl w *im\>crso^aW ， arc 

used *bo scav-^ -for Videos. 

http : //gdata.youtube.com/feeds/api/videos/-/elvis/impersonator 


The keywords a\rc dasc-ihSChsiiivc, so w dvis^ —少 
Elvis , l cLv|s dll give you the sdme v-csult 
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syndication and web services 



BE th^ 耶 

Your job is to ^et inside the mind of YouTub 
become a video REST request. Use tire magnets 
below to assemble video REST requests for tire 

following YouTube videos, and then 
try tiiem out in your web browser. 



All videos that match the keyword “Roswell”: 


All videos that match the keywords C 6 alien” and 66 abduction”: 


All videos tagged as favorites for the user headfirstmork: 


All videos that match the keywords “ufo”, “sighting”，and “dog”: 


All videos tagged as favorites for the user aliensabductedme : 




http : //gdata.youtube.com/feeds/api/ 



r^j 


v\ttd bo use 
sow\C o^c *b^c 
move OY\Ct- 


>mC of 


1 videOS \ I" dog * 
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be the youtube REST request solution 



be . 耶 矿 射猶 t 

Your job is to ^et inside tire mind of YouTube 
and become a video REST request. Use tire 
magnets below to assemble video REST 

requests for tire following 
YouTube videos, and tiientry 
tiiem out in your web browser. 


You mdv iiavc used 
some o\ 七 he maybs 

move ov\Ct- 


The same base YouTube URL is 
used (or dll o( i\\t REST guests. 


All videos that match the keyword “Roswell”: 


TV single keywov-d 
^ appear last i h ihc URL. 


http : //gdata.youtube.com/feeds/api/ | 

| videos | 

|/| 

hi 

M 

| Roswell | 


Bach o( *tKc scav-dii keywords 
appeav - a*t cv>d o( *ti^c URL, a^d 
avc scfav-a*tcd by -fovv/av-d slashes. 

T 7 ! -|| / ||alien ]□[ abdhjction^J 


All videos that match the keywords “alien” and 66 abduction”: 


All videos tagged as favorites for the user headfirstmork: 


http://gdata.youtube•com/feeds/api/ 


users 


headfirstmork 



The URL -PoV 3 uscir^s -f3vo\ri"tcs V"C^uivcs 
七 he v/o\rd “useirs" heme msicad o( Videos” 

All videos that match the keywords “ufo”, “sighting”，and “dog ”： 

http://gdat a.youtube.com/feeds/api/ || videos |j / TVT Ufo [| / y sighting~ 『 / |j dog | 
• •••••••••••••••••••••••••••••••••••• •••••••••••••••••••••••••••••••••••••••••••••••••• * • • • • • • • • • • ••••••• • • • • •••••••••• •••••••••••• 



All videos tagged as favorites for the user aliensabductedme : 



The URL ends with 

the wovd w -Pavov-itcs w . 


http://gdata.youtube.com/feeds/api/ 

users 

/ 

aliensabductedme 

/ 


favorites 




This 

used 


^^ghct wash't 

. its a 匕 Ohspiva 匕 y/ 


Tins is r^amc of 
usev y/Kosc -favov-*i*tc 
videos you v/3r>*t *to atdess. 
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syndication and web services 



Dumb Quest! 


9ns 


How is REST different than, say, a GET request? 



It's not. Any time you've used a GET request, such as simply 
requesting a web page, you’re using REST. You can think of a normal 
web page as a REST resource in that it can be accessed via a URL, 
and GET is the REST “action” used to access the resource. Where 
REST gets more interesting is when it is used to build queries, such 
as YouTube video requests. In this case you’re still dealing with REST 
requests but they are querying a database for data instead of simply 
requesting a static web page. 

Does the order of arguments matter when performing a 
YouTube keyword search? 



Yes. The first keywords are given a higher precedence than later 
keywords, so make sure to list them in order of decreasing importance. 

When there are multiple matches for a video search, how 
does YouTube determine what videos to return? 



YouTube keyword video requests return videos based on search 
relevance, meaning that you will get the videos that best match the 
keywords, regardless of when the videos were posted to YouTube. 


you are here ► 
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building a REST request 



Owen is ready to build a REST request 

Since Owen’s goal is to scour YouTube for alien abduction videos that might 
have Fang in them, a keyword search makes the most sense as the type of REST 
request to submit to YouTube. There are lots of different keyword combinations 
that could be used to search for possible Fang videos, but one in particular will 
help home in on videos related specifically to Fang: 



http : //gdata. youtube. com/feeds/api/videos/-/alien/abduction/head/first 

While you probably wouldn’t reference the title of a book series when 
carrying out a normal YouTube video search, it just so happens to be a 
good idea in this particular case. Let’s just say it’s a coincidence that a 
lot of alien abduction videos have been made by Head First fans! With a 
REST request URL in hand, Owen can scratch off Step 1 of the YouTube 
video syndication process. 



丁 he las 七 "two keywords 
help "to make su\rc you 
"the aliCh dbdud'tioh videos 
elated -to Owch ahd 



-f ivs-t step is kr\otkcd 

out Aa 灼 ks *to 七 he 

^>uTubc vc^ucs't URL- 


Build a req'jest for VcuTube-vldeosr 


❻ Issue the video request to YouTube. 

❺ Receive YouTube's response data 

containing information about the videos. 

o Process the response data and format it 
as HTML code. 
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syndication and web services 



Tesr DriVq 


Try out Owen’s YouTube request URL. 

Enter Owen’s YouTube request URL in a web browser: 

http :// gdata.youtube.com/feeds/api/videos/-/alien/abduction/head/first 

What does the browser show? Try viewing the source of the page to take a look at the 
actual code returned by YouTube. 



on 


YijuTutu- VidHW. 


YouTube Videos 


8 Total 


12.M AM 


UFO Spotted Crashing Party at Graecla … 

anynuBijal con^ir^ai Viator rate, a IIPO was sooted crBShtr^a fiiucgus party at tyaceland, me 
iiflfflft orihrs unrtinpirtiHi King «T Rfll1 - 

nRj^!ii | .www , sififtrtrirartfth^.cfirn ■ 

Allan a Turn Face of Sphinx Into fl Dogl (• 伽 • Tem^. iz；45 ah 

Watch aa a UFO laaer cftiaela the fae* ol the tStiinx _ 咖 
Ftirjirt Kihiid FirstPNP A 

tiifjiJftwvilieadrirEllabE.Mni Rfl-adfTM?re... 

Dag Rid** in UFO Hovarlng N*ir S_n … ili™«WsK4*dmii VwWrdaiy,. WM 

Thi it h«_vid 剛 _ a ㈣ 咖 in a UFO M _ 娜 ㈣ 眶牠 Cfeld.n Qa^Biid^. 
n&ad 吊 aft... 

UFO Spotted Naar ESfl#l Tow#rI ¥«_ 啤 _ ifl > 脚阳 

Ctwcfcoiriinis Map or a MKJinq cats w : Pans. 

MlWltl FlffJPHP A MySOl 1 
nnjwwft JitiidrirstiabE‘ 《 3m ^-s j nwram 


, fl AbducUd By llFOt ailMH^xduElPdrn* Ml PM 

Ip! My do^waii abdudud byjilwis. " 1 


丁 he web b\rowsc\r views the )(/l/|L 
data \rctu\rhcd by the YouTube 
\rcspohsc as d hcws-Pccd ； except \ y \ 
this case cac\\ item is actually a video. 


you are here ► 


687 




















making REST requests in a php script 



Requesting videos from YouTube by typing a 
URL into a web browser is neat and all, but 
what does that have to do with PHP? Why can’t 
we access the video results from a script? 


cxlchsioh -to PttP, 乩 o(^s 

x DUD plcXr， "- oa<1 --^ ilc0 ^ 纤 io 〜詷 s added 

to p+P ih V 饮 sioh 气 So pv-iov- vcv-siohs pftp 

doh^-t have built—ih suppovl )(ML pvodcssmg. 


We can, we just need a PHP function that allows us 
to submit a REST request and receive a response. 

The built-in PHP function simple xml load file () lets us submit 
REST requests that result in XML responses, such as YouTube requests/ 
responses. The function actually loads an XML document into a PHP 
object, which we can then use to drill down into the XML data and 
extract whatever specific information is needed. So how does that impact 
Owen’s YouTube video request? Check out this code, which creates a 
constant to hold a YouTube URL, and then issues a REST request using 
the simplexml load file () function: 


define( 1 YOUTUBE—URL', 'http :// gdata.youtube.com/feeds/api/videos/-/alien/abduction/head/first'); 


/ $xml=simplexml load file(YOUTUBE URL); 

L - -- 

^ -tKc ^ccd cvev a^scs. 

O Build c request for VouTube^ideosT 


AltKou^ hot sirMy pessary, it s 

_ a Y od ldca ^ st>rc s{ ^ ht 

• 丄乙 so 払 at ， ^ 


0 

o 
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Issue-thc video request to YouTqfacT 


deceive VcuTubc's response data 

HTfcmTOti0rrnbotrM B he~¥f€!e0ST 


Process the response data and format it 
as HTML code. 

These -two s-fceps 
how dohC^ 

Chapter 12 



o 


Don’t sweat it if you don’t 
know what an object is, 
especially in the context of PHP. 

A PHP object is a special data type 
that allows data to be packaged together with functions 
in a single construct. All you need to know for now 
is that it’s much easier to process XML data in PHP 
by using objects. You’ll learn more about how this is 
possible in just a bit. 



















syndication and web services 


<?xml version='1.0' encoding='UTF-8'?> 

〈feed xmlns='http://www.w3.org/2005/Atom' 

xmlns:openSearch='http://a9.com/-/spec/opensearchrss/l.0/ 

xmlns : gml='http : //www.opengis.net/gml' ， 

xmlns : georss='http :/ /www•georss•org/georss, 

xmlns:media='http://search.yahoo.com/mrss/I 

xmlns:batch='http://schemas.google.com/gdata/batch 
xmlns:yt='http://gdata.youtube.com/schemas/2007, 

ter m ='http:// g data.youtube.co m /sc h e m a S /2 0 07#v ld eoV> 

(title type='text'>Favorite S of aliensabductedme</t 1 tle> 

<logo>http://www.youtube.com/img/pic_youtubelogo 123x63 gi / og^ com/feeds/api/users / a ii e n S abductedme'/> 

<author> 

<g：nerator ver S ion=> 2.0 ' uri=' http : //gdata. youtube. com/ - >YouTube data APK/generator> 

<openSearch:totalResults>9</openSearch:totalResults> 

<openSearch:startIndex>l</openSearch:startlndex> 

<openSearch:itemsPerPage>25</openSearch:itemsPerPage> 

<e <Shttp://gdata.youtube.com/feeds/api/videos/ T 6Uibqf0vtA</id> 

<published>2006-06-20T07:49:05.000-07:00 〈 /published 〉 

SEES 蹀王 ㈣ ^ 

<category scheme='http://gdata.youtube.com/schemas/ 7/ k "gdata.youtube.com/ S chemas/2007#video'/> 

<category S cheme='htt P : //schemas.google.com/g/ 2005 tond term http //gy^ 

<category scheme^ http : //gdata.youtube, com schema S /2 === ^at' term='aliens '/> 

<category scheme=' http : //gdata.youtube .' cat' term='alien'/> , 

<category scheme=' http : //gdata.youtube. com/schema S /20^ at , term= . Trave l' label='Travel & amp; Events'/> 

<category S cheme='http://gdata.youtube.com schemas 2 7 categories cat 

<category scheme^ http: //gdata. youtube. co m / S chemas/2007 A . cat ^ ^ 

<category S cheme='http : //gdata.youtube.oom/schemas/2007/teywords.cat^ te 

<category scheme-http://gdata.youtube.co m / S chemas/2007/^ord S cat^ te ^ ;> 

<cat egory scheme='http://gdata.youtube.com/schema s /2007/keywords cat g 

<title type='text'>UF0 Sighting in Yoseimte Park A rea 1 / park is ver c i ose to the border between California 

<content type=' text'>1 went on a trip to Yosem.te Par k 2002 & of iight h ， gh up ±n the sky , ^ 

evening, on my way out of the park, I wa, dr.v.ng down a : 丄 =" ，二 =; d then 工 grappe d my camera to take some photos 

, , r , ■一 >>=11 nf 1 i rrht disad 


/> 


This is -the )(ML -file 
\rctu\rhcd by the 
simplc>cmMoad_-filcO 

dohsists o( YouTube 
XA1L dd'td -Po\r the 
videos v-c^ucs-tcd- 


it we 丄丄 enougn. uiu-uj. -- 

: — ===:工 
Af =: :二 

<author> 

:：娜 .⑽細 油 - 咖 W 卿此 </ 如 > 

</author> 

<m ： "edla ： ?i?ie type='plain'>UF0 Sighting in Yosemite Par^near Area park is very clo se to the border between of light 

: = 二工 :么 

H in the skv where the light had disappeared. 〈 /media:description 〉 

A few F a Tre e n^ e \ S ret pe c a a? California, nevada, sighting, sightings, ufo</media : k eywords> 

^. rtsP ： //rtsP2 .^ type=,vide t pp ', me rrr e rr P r s r, 仙， 

dUrat ^a ； c^^^ ： // rtS p 2 - y o Utub e.coWC h o LENy 73 Wl a E anavvSnMK 1 ^ tyP e=.v id eo/3 gP P — 

dura tl on=^50 6^/> ^ ^ ^ you tube. com/watch?v= 6uibqf OvtA '/>^ height= , 97< width= . 13 0> time=' 00 : 00 :25'/> 

=== 汶:二 一 2 。，—° ：00：25，/> 

〈 /media: group 〉 • “一 "qqi ，/、 

: 

<gd:comments> 


Awesome... an even bigger problem! 
What on earth do we do with all that 
messy XML data? There's no way a 
PHP script can make sense of all that. 


O 


o 


Oh, but there is! The XML code returned by YouTube 
isn’t really as messy as it looks... you just have to 
know where to look. 
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the request returns xml 


YouTube speaks XML 


The video response from YouTube isn’t exactly a DVD packaged up in a shiny 
box and delivered to your front door. No, it’s an XML document containing 
detailed information about the videos you requested, not the videos themselves. 


YouTute responds 
to video requests 

witk XML data tkat 


ctescrites tke videos. 




Although s a lot 30^3 
伽 ih this X/WL Codti Ohe 
th'mg -to home \ y \ oy \ is that 
“ 匕 h ihdividudl video 
inside of ah <Cht\ry> -tag. 


<?xml version:'1.0' encoding: 1 UTF-8'?> 

<feed xmlns='http :/ /www.w3.org/2005/Atom' 
xmlns : openSearch='http : //a9.com/-/spec/opensearchrss/I.0/' 
xmlns : gml='http :// www.opengis.net/gml' 
xmlns : georss='http://www.georss.org/georss' 
xmlns : media='http :// search.yahoo.com/mrss/' 
xmlns : batch='http :// schemas.google.com/gdata/batch' 
xmlns : yt='http :// gdata.youtube.com/schemas/2007' 
xmlns : gd='http :// schemas.google.com/g/2005'> 

<id>http :// gdata.youtube.com/feeds/api/users/aliensabductedme/favorites</id> 
<updated>2008-07-25T03:22:37.001Z</updated 〉 

〈category scheme=' http : // schemas . google . com/g/2005#kind' 
term='http :// gdata.youtube.com/schemas/2007#video'/> 

<title type='text'>Favorites of aliensabductedme</title> 

<entry> 

<id>http :// gdata.youtube.com/feeds/api/videos/_6Uibqf0vtA</id> 

<published>200 6-06-20T07:4 9:05.000-07 : 00</published> 

<media : group> 

〈media : title type= 'plain ' >UFO Sighting in YoSemite Park near Area 51</media : title 〉 

<media : description type= 'plain 1 > I went on a trip to Yo Semite Park in 2002 . Yo Semite Park is very 
close to the border between California and Nevada, and close to Area 51. . . </media : description 〉 
<media : keywords>51, alien, aliens , area, ca, California, nevada, sighting, sightings , 
ufo</media : keywords 〉 

<yt : duration seconds= ' 50 ' /> 

<media : category label= ' Travel & amp; Events' 

scheme='http :// gdata.youtube.com/schemas/2007 / categories.cat'>Travel</media : category 〉 

〈media : content url= ' http : // www. youtube . com/v/_6Uibqf OvtA' type= ' application/x-shockwave-f lash 1 
medium='video' isDefault='true' expression: 1 full' duration='50' yt : format='5'/> 

〈media : content url= ' rtsp : // rtsp2 . youtube . com/ChoLENy73wIaEQnQwSnbiKl_xMYDSANFEgGDA: 

type='video/3gpp' medium='video' expression='full' duration='50' yt : format='1'/> 

〈media : content url= ' rtsp : // rtsp2 . youtube . com/ChoLENy73wIaEQnQwSnbiKl 一 xMYESARFEgGDA: 

type='video/3gpp' medium='video' expression='full' duration='50' y 
〈media : player url= ' http : // www. youtube . com/watch?v=_6Uibqf OvtA' / > 

〈media : thumbnail url= ' http : // img. youtube . com/vi/_6Uibqf OvtA/2 . j pg 
time='00:00:25'/> 

<media : thumbnail url= ' http : / / img. youtube . com/vi/_6Uibqf OvtA/1. j pg 
time='00:00:12.500'/> 

〈media : thumbnail url= ' http : / / img. youtube . com/vi/_6Uibqf OvtA/3 . j pg 
time= , 00:00:37.500 , /> 

〈media : thumbnail url= ' http : / / img. youtube . com/vi/_6Uibqf OvtA/0 . j pg 
time='00:00:25'/> 

</media : group> 

<yt:statistics viewCount='2478159' favoriteCount='1897 ' /> 

<gd : rating min= ' 1' max='5' numRaters='1602' average='4.17'/> 

<gd : comments> 

<gd : feedLink href='http :// gdata.youtube.com/feeds/api/videos/_6UibqfOvtA/comments' 
countHint='442 6'/> 

</gd : comments 〉 

</entry> 

<entry> 

<id>http :// gdata.youtube.com/feeds/api/videos/XpNd-Dg6_zQ</id> 

<published>200 6-11-19T16:44:43.000-08 : 00</published> 


/0/0/0/video.3gp' 
/0/0/0/video.3gp' 


: format: 

6 1 

/> 


height= 

' 97 ' 

width= 1 

'130 ' 

height= 

▼ 97 ' 

width=' 

'130 ' 

height= 

' 97 ' 

width=' 

'130 ' 

height= 

'240 

'width: 

= '320' 


</entry> 
</feed> 


Ths starts video 

i\\t )<ML 代 sfcmse data. 
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rperi your pencil 


Study the highlighted XML code for the YouTube response on the facing 
page and answer the following questions. You might just know more 
about YouTube’s video XML format than you thought at first glance! 


1. What is the title of the video? 


2. What are three keywords associated with the video? 


3. How long is the video, in seconds? 


4. To what YouTube video category does the video belong? 


5. How many times has the video been viewed? 


6. What average rating have users given the video? 
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sharpen your pencil solution 

- %^arp«i your pendl 

Solution 


Study the highlighted XML code for the YouTube response on page 690 
and answer the following questions. You might just know more about 
YouTube’s video XML format than you thought at first glance! 



• What is the title of the video? 


〈 media:keywordsalien, (aliensj 
ufo</media: keywords 〉、 ■―^****^ . 


area, ca, 


California ，泛 evada) 



2. What are three keywords associated with the video? . .^.h. .ocyada 


3. How long is the video, in seconds? . 矜 Q. 


ty\CoAt^ some dhav-adtcirs 
usihj special CoAt^t sudh as farwf；, 
whidh vcpircsc^-b av\ am^ev'sahd (f).) 



Wents\ 

sbeuL^s /： 


〈 media:category label='Travel &amp; E ， 

scheme='http: //gdata• ySutuJD^TCom/scheu l a^2007/categories . cat ->Travel</media: category 〉 


4. To what YouTube video category does the video belong? .Travel.&.Eyc^.is. 


<yt ： statistics vi ew C Qun t=f24^Ii?^^^^7^7r7r 


5. How many times has the video been viewed? . 


Woy/, *tV>aVs a lo*t <^f 

VlCV/S... y>cavly mil|ioy>! 



6. What average rating have users given the video? 士 J7 
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Hmm, I*m a little confused with those XML tags 
that have two names separated by a colon. Is that 
somehow a way to organize tags? And what about 
the weird Aamp ； code in the video category? 



The unusual XML code uses namespaces and entities ， 
which help organize tags and encode special characters. 

When you see an XML tag that has two names separated by a colon, you’re 
looking at a namespace^ which is a way of organizing a set of tags into 
a logical group. The purpose of namespaces is to keep tags with the same 
name from clashing when multiple XML vocabularies are used in the same 
document. As an example, consider the following two XML tags: 





Namespaces are 
namect groups ol 

XML tags，wkile 

entities are used 
to encode special 
ckaracters witkin 

XML ctocuments. 

|*t may seem odd a 

affcavs m YouTube 
)<ML dodc — rt jus*t 
YouTube vclics pay 七 ly O 灼 art )<ML 
treated by Yaiioof. 


<media:title type='plain'>UFO Sighting in Yosemite Park near Area 51 </media:title 〉 

— 

Without the media namespace in the second 〈 title 〉 tag, it would be impossible 
to tell the two tags apart if they appeared in the same XML code. So you can think 
of a namespace as a surname for tags — it helps keep an XML document full of 
“first names” from clashing by hanging a “last name” on related tags. The YouTube 
response code uses several different namespaces, which means it is using several 
different XML languages at once — namespaces allow us to clearly tell them apart. 

To ensure uniqueness, an XML namespace is always associated with a URL. For 
example, the media namespace used in YouTube XML data is established within 
the <f eed> tag like this: 




xmlns : media='http :// search.yahoo.com/mrss 


TVis WRL ish’t actually a 
web page - it s jus-t a uh— 
idchti-Picir -Po\r a 



The other strange thing in the YouTube XML code is & amp; ， which is XML’s way 
of representing the ampersand character (&). This is an XML entity, a symbolic 
way of referencing a special character, such as &， <, or >, all of which have special 
meaning within XML code. Following are the five predefined XML entities that you 
will likely encounter as you delve deeper into XML code: 


&amp; 


] = Q 


&it ； 


]=Q & ot j= v] i &apos D = n 
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anatomy of a youtube xml response 


Pecowstruct a YouTube XML response 


Once you get to know the structure of a YouTube response, extracting the video 
data you need is pretty straightforward. In addition to understanding what tags 
and attributes store what data, it’s also important to understand how the tags 
relate to one another. If you recall from earlier in the chapter when analyzing 
an RSS feed, an XML document can be viewed as a hierarchy of elements. The 


same is true for the XML data returned in a YouTube video response. 

<entry> 

<id>http :// gdata.youtube.com/feeds/api/videos/_6Uibqf0vtA</id> 
<published>2 00 6-0 6-20T07:4 9:05.000-07 : 00</published> 



T\\t <*bi*tlc> * 1^5 tor\*ba'ms 

title o-f i\\t video. 

fh this 6odc, -the tag i 
Mmcd u ti-tlc u ahd -the 

is 



<media : group> 

〈media : title type= ' plain ' >UFO Sighting in Yosemite Park near Area 51</media : title 〉 

〈 media: description type= 'plain' >1 went on a trip to Yosemite Park in 2 002. Yosemite Park is very 
close to the border between California and Nevada, and close to Area 51. . . </media : description 〉 TV^c keywords 
<media : keywords>51, alien, aliens , area, ca, California, nevada, sighting, sightings , 
ufo</media:keywords 〉 

duration seconds=' 50 ' /> - - - - - - - --- 


<r 


<yt 


< 2 - 


<media : category label= ' Travel & amp; Events' 

scheme=' http : / / gdata . youtube . com/schemas/2 00 7/categories^T?«>t >< |>Travel</media : category 〉 

〈media : content url= ' http : // www. youtube . com/v/_6Uibqf OvtA' type= *^p^i4cation/x-shockwave-f lash ’ 
medium= ' video ' isDef ault= ' true ' expression= ' full' duration= ' 50 ' yt : f orm^*t^<5 ' / > 

〈media : content url= ' rtsp : //rtsp2 . youtube . com/ChoLENy73wIaEQnQwSnbiKl_xMYr^^S^qGDA: 

type='video/3gpp' medium='video' expression:'full' duration:'50 1 yt : format='1'/> 

<media : content url= ' rtsp : //rtsp2 . youtube . com/ChoLENy73wIaEQnQwSnbiKl xMYESARFEgGDA: 


-fov- video. 

The Ichg-th <^f -the 

video, ih sc^ohds. 


/0/0/0/video.3gp' 


type='video/3gpp' medium='video' expression='full' duration:'50 1 yt : format 
〈media : player url= ' http : // www. youtube . com/watch?v=_6Uibqf OvtA' /> 

<media : thumbnail url= ' http : // img. youtube . com/vi/_6Uibqf OvtA/2 . jpg 
time='00:00:25'/> 

<media : thumbnail url= ' http : / / img. youtube . com/vi/_6Uibqf OvtA/1 
time='00:00:12.500 ' /> 

<media : thumbnail url= ' http : / / img. youtube . com/vi/_6Uibqf OvtA/3 . jp 
time= , 00:00:37.500'/> 

<media : thumbnail url= ’ http : / / img. youtube . com/vi/_6Uibqf OvtA/0 . jpg 

time='00:00:25'/> __ 

</media : group> 1 ^^ 


/> 


height^'97' width='130' 



pg ' height='97' width='130 


height='97' width='130 


height='240' width='320 


p/0/0/video.3gp' 

The YouTube 
Video. 


The lihk "fco 
the video Oh 

YouTube. 


2478159' favoriteCount='1897 


numRaters='1602' average: 


<yt : statistics viewCount= 

<gd : rating min= ' 1' max= ' 5 
<gd : comments 〉 

<gd: feedLink href=' http : // gdata . youtube . com/feeds/api'/N^ideos/ 
countHint='442 6'/> 

</gd : comments> 




丁 hes-ta^ds (or ^oo^le 

Data，and mdludes dc-P'mcd by 

^oojlc -Poir various kmds 

— Y^uTlAbe is pairt of ^oo^l e- 


"The usev- 

of video. 


A 七 o-f 
i\\t video, (or 


ibqfOvtA/comments' 

Tiic o-f 七 imes 

video has vicy/cd- 


One important clue toward understanding the video data buried in this XML code is 
the different namespaces being used. The media namespace accompanies most of 
the tags specifically related to video data, while the yt namespace is used solely with 
the 〈 statistics 〉 tag. Finally, comments are enclosed within the 〈 comments 〉 
tag, which falls under the gd namespace. These namespaces will matter a great deal 
when you begin writing PHP code to find specific tags and their data. 
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Visualize the XML video data 


Earlier in the chapter when working with RSS code, it was revealed that an 
XML document can be visualized as a hierarchy of elements (tags) that have a 
parent-child relationship. This relationship becomes increasingly important as 
you begin to process XML code and access data stored within it. In fact, it can 
be an invaluable skill to be able to look at an XML document and immediately 
visualize the relationship between the elements. Just remember that any element 
enclosed within another element is a child, and the enclosing element is its 
parent. Working through the XML code for the YouTube video on the facing 
page results in the following visualization. 

TV^c ⑼七 vy element is 
*topmos*t element m *b^»s 

cW 灼 k of yML 


The XML data is organized 
into a hierarchy of 
elements (tags). 


An element is just 
an abstract way 
oi tkinkingf oi an 

XML tagf and tke 

data it contains. 

todc- 




一 一一一 


entry 


一 - 


一 〆 一 



id 


published 


group 


statistics J rating 


comments 



I I l I 

title description jticeywords duration category content content j|.., 


player thumbnail # 


thumbnail 


feedLink 




The significance of this hierarchy of elements is that you can navigate 
from any element to another by tracing its path from the top of the 
hierarchy. So, for example, if you wanted to obtain the title of the video, 
you could trace its path like this: 


"to dh clcruCht \v\ dh 
XML do^urwcht involves ^ollov/ih^ 
the path -P\rorh "to dhild. 



title 


Why do I even need to worry about namespaces? 

A- 

r \* Because XML code generated by others often involves 
namespaces, which affects how you access XML elements 
programmatically. As you’re about to find out, the namespace 
associated with an element directly affects how you find the element 
when writing PHP code that processes XML data. So the namespace 
must be factored into code that is attempting to grab the data for a 
given element. 


How do I know if a tag is part of a namespace? 


A 


Although it's possible to have a default namespace that doesn’t 
explicitly appear in the code for a tag, in most cases you’ll see 
the namespace right there in the tag name, so the tag is coded as 


〈media: title 〉instead of just〈title〉. The name to the 
left of the colon is always the namespace. 


you are here ► 
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all about php objects 


Access XML data with objects 


There are lots of different ways to work with XML data with PHP, and one of 
the best involves objects. An object is a special PHP data type that combines 
data and functions into a single construct. But what does that have to do with 
XML? The entire hierarchy of elements in an XML document is contained 
within a single variable, an object. You can then use the object to drill down into 
the data and access individual elements. Objects also have methods, which are 
functions that are tied to an object, and let us further manipulate the object’s 
data. For an object that contains XML data, methods let us access the collection 
of child elements for an element, as well as its attributes. 


Objects are a special 

PUP data type tkat 

combine data and 
functions togetker. 


SimpleXMLEIement 


accessed as a 

aw /ML object 



The PHP objedt 栎 a 七 

•IS used *to S*fcoVC dy>d 

)</\/lL da*ta is 你伙七 . 


A Sirwplc^(A1LElcrwCh't object 

methods -tha-t allow you io 
out r»o\rc dbou^t dcrhChts, sudh Ss 

dhild clcrwCh-b 5 hd attv-ibutc 


You’ve already seen how to create this XML object for Owen’s -tK'is -fu^dtioy\ 

alien abduction YouTube keyword search:__ 〆 vcc^u'ivcs PHP vcys'ioy> ^ ov la*tcv-. 

define ( 'YOUTUBE URL'/ 'http :// gdata.youtube.com/feeds/api/videos/-/alien/abduction/head/first'); 


$xml = simplexml load file(YOUTUBE URL); 


This code results in a variable named $xml that contains all of the XML 
YouTube video data packaged into a PHP object. To access the data you use 
object properties, which are individual pieces of data stored within an object. 
Each property corresponds to an XML element. Take a look at the following 
example, which accesses all of the entry elements in the document: 

^=r 戸丫 spcdi-Py'mg the Jc the clcmcht 

you gv-ab all o-f the 
eler^jvts that a\rc ih -the XML data. 


TWlS £.v-ca*tcs d PrtP 

o\>\tci *tv?c 

all tKc )<ML dala m 

七 YouTube Video v-cspohsc. 


$entries = $xml->entry; 


The -> opcv-a*tov lc*ts you attess 

3 pvopev-ty d 的 object- 

This code accesses all the entry elements in the XML data using a property. 
Since there are multiple entry elements in the data, the $entries variable 
stores an array of objects that you can use to access individual video entries. 
And since we’re now dealing with an array, each video 〈 entry〉tag can be 
accessed by indexing the array. For example, the first <entry> tag in the 
document is the first item in the array, the second tag is the second item, etc. 


/\|| Jc video cy>*tv-*ics avc 
s*tovcd *m {\\t jtv\br\ts avvay."~^^ 

qioiq 


$entries 
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syndication and web services 


From XML demcwts to ?W objects 


When it comes to XML data and PHP objects, you’re really dealing with 
a collection of objects. Remember that stuff about visualizing an XML 
document as a hierarchy of elements? Well, that same hierarchy is realized as a 

collection of objects in PHP. Take a look: 



title 


description Ijceywords duration category con tent content i ... player thumbnail 


thumbnail i| feedLink 


l/Vheh viewed through the Ic^s of 1 
XML object, the hicv-a\r^hy 
X^IL dcmchts becomes a 
nested Collection o*P objects. 




(published! 

0 A ^； 



/ 


f 



group Statistics, 
/ .. ， 


Tiic duvatio^ object is a 
c\\\\d o( *tiic youf objet-t 
s'mdc i\\t <duva*tior\> *ta^ 
is a cM\\A o-f <youp>. 





丁 he \ratmg object 

_s a dhild object 
o( the Chtv-y 
obj“t bemuse 
the <\ratih0> taa 

_s a ^hild -tag o-r 
<Cht\ry>. 


categoA ^ 七 

、 I (Eontenl f \ jjr \thumbnai 

X-/ t onten ) i piaye ? \ZJ 





This element hieararchy/object collection stuff forms the basis of understanding 
how to dig through XML data in PHP. With the relationship between individual 
pieces of XML data in mind, it becomes possible to write code that navigates 
through the data. Then we can isolate the content stored in a particular tag or 
attribute down deep in an XML document. 



Most o-f i\\t 

Covsit^i -fov d YouTube video 
is toy\*ba'mcd y/rtiVm Aild 
objct*bs <Jc *b^c youf object- 
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accessing object data 


Prill iwto XML data with objects 


Getting back to Owen, our goal is to pull out a few pieces of information for 
videos that are returned as part of the XML YouTube response. We know how 
to retrieve the XML data into a PHP object using the simple xml load 
file () function, but most of the interesting data is found down deeper in this 
data. How do we navigate through the collection of objects? The answer is the 
-> operator, which is used to reference a property or method of an object. In the 
case of an XML object, the -> operator accesses each child object. So this code 
displays the title of a video entry stored in a variable named $ entry: 


echo $entry->group->title; 


ttcv-c the -> opcvaW is used io dv-ill dovm thv-ouah 
hcstcd dhild objats autss the hi\t objed. 


This code relies heavily on the relationship between the title, group, and 
entry objects, which form a parent-child relationship from one to the next. 







Tiic object is a 

diiild youp 

is B 匕 Wild 

o\ bry object 


The -> operator references a child object from a parent object. So title is 
a child of group, which is a child of entry. Remember that the -> operator 
can be used to access both properties and methods. One method that comes in 
particularly handy is the attributes () method, which is able to pluck out 
the value of an XML attribute for a given element. 

The atbributesO method obtains 
% a\rvay of ol-t-tvibu-tcs -Pov- 3iv\ 

echo $attrs [ ' seconds']; 七（士 你⑶七 ). 


$attrs = $entry->group->duration->attributes (); 


This code drills down to the duration element and then grabs all of its attributes 
and stores them in the $attrs variable, which is an array of all the attributes. 
The value of the seconds attribute is then retrieved from the array. 


A atbribu 七 e value 

be vcVicvcd by us'm^ 

七 ir\3mC o^C a't'tv-'ibu 七 C 



$attrs['seconds'] 
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Not without a namespace! 


There’s a small problem with the code on the facing page that accesses XML 
data using objects, and it has to do with namespaces. If you recall, namespaces 
act as surnames for tags by organizing them into meaningful collections. So 
in a YouTube response, the <duration〉tag is actually coded as <yt : 
duration〉，and the title for a video is coded as <media : title>, not 
〈 title〉. When an element is associated with a namespace, you can’t just 
reference it by tag name in PHP code. Instead, you have to first isolate it by 
namespace by calling the children () method on the parent object. 


Namespaces make 
it a tit trickier to 


access elements 

witkin XML data. 


$media = $entry->children('http :// search.yahoo.com/mrss/'); 



This code retrieves all the child objects of the video entry whose namespace is 
http : // search . yahoo . com/mrss/. But that’s the URL for a namespace, 
not the namespace itself. This URL is located in the <f eed> tag at the start of 
the XML document. This is where you’ll find all the namespaces being used. 


The ^hildvchO method 
v-ctuv-hs ah a\r\ray 

all 0 + the ^ild 

elements that avc wrthih 

■the spc^i-Picd 


〈feed xmlns='http :// www.w3.org/2005/Atom' 

xmlns : openSearch= ' http : //a9.com/-/spec/opensearchrss/I.0/ 
xmlns : gml='http :// www.opengis.net/gml' 
xmlns : georss='http://www.georss.org/georss 
xmlns : media= ' http :// search.yahoo.com/mrss/ 
xmlns : batch='http :// schemas.google.com/gdata/batch 
xmlns : yt='http :// gdata.youtube.com/schemas/2007' ， 

xmlns : gd='http :// schemas.google.com/g/2005'> 



All s*tar*t»^5 

bclor\^ *to *tKis 

This is -Pov- 

"tajs m w <y 七 :' 


)) 


This code reveals how each namespace is associated with a URL. More 
specifically, it shows how the media and yt namespaces are specified for use in 
the document. This is all you need to find tags related to these two namespaces. 

Once you’ve isolated the child elements for a particular namespace by calling the 
children () method on the parent element, you can then resume accessing 
child objects with the -> operator. For example, this code obtains the video title 
from the〈media : group 〉 tag: 

$title = $ media->group->ti tie; ^ 〆 


Tiic <ti*tlc> *b3^ ,s ^ … Id 

o( *biic <mcdia^v-oup> *ba 汐 


Use tke ckilctrenO 
metkoct to isolate 
all elements 
associated witlt a 
namespace. 


your pencil 


Using the namespace information and PHP code above, finish the 
PHP code that gets the duration (in seconds) of a video clip. 


$yt = $media->children( 


$attrs = 


echo $attrs [' ']; 
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no dumb questions on objects 

- Sharpen ywr pencil 

7 SoMon 


Using the namespace information and PHP code above, finish the 
PHP code that gets the duration (in seconds) of a video clip. 



This is the URL -fov- 

$yt = $media->children (' / fl\da*tayou*tubc-^om/sdhcmas/Z007 '); ^ hamespade 3s 

, listed ih the <*fccd> 

$attrs = . 亏 I 、、 tag at the bcgihhmg 

echo $attrs [' .. ^or}ds ：]； (^vab all o-f attributes 乂 — do^^t 

-r- L r ,, , , f (or -tKc <y 七 : duvaW> *ta 》 

The o\ the attv-ibuic is J ^ 

used as -the key (or addess'm^ 

the attv-ibutc av-v-ay. 

there^ave no ^ 

Dumb Questi 9 ns 


How is an object different than an array? Don’t arrays also 
store collections of data? 


A 


What exactly is an object? Is it like a normal variable? 


Yes. Arrays and objects are actually a lot alike. But one huge 
difference is that objects can have executable code attached to 
them in the form of methods. Methods are pretty much the same 
as functions except that they are tied to an object, and are usually 
designed to work specifically with the data stored in an object. Arrays 
are purely about storing a set of related data, and have no notion of 
methods. Additionally, array elements are accessed by specifying 
the index or key of an element inside square brackets ([ ]), while 
object properties and methods are accessed by name using the -> 
operator. 

A. 

Yes. An object is exactly like any other variable in PHP; it’s just 
that it is able to store more complex data. So instead of just storing 
a string of text or a number, an object is able to store a combination 
of strings, numbers, etc. The idea is that by combining related data 
together with functions that act on them, the overall design and 
coding of applications becomes more logical. 

Q: 

A- 

Objects help in regard to XML data processing because they 
are able to model the element hierarchy of an XML document in 
nested child objects. The benefit to this approach is that you can 
navigate through child objects using the -> operator and access 
whatever data you need. 


So how do objects help in processing XML data? 


I thought the -> operator was for accessing object 
properties. How does it allow me to access a child object? 


A 


Hang on, what’s the SimpleXMLElement object? 


The reason is that when dealing with XML objects in PHP, child 
objects are actually stored as properties. So when you use the -> 
operator to access a child object, you really are just accessing a 
property. The SimpleXMLElement object is what makes this 
possible. 

A. 

Every object in PHP has a specific data type, meaning that 
“object” is really a generic term. So when you create an object, 
you’re creating an object of a specific type that is designed to 
accomplish a specific task. In the case of XML, the object type is 
SimpleXMLElement, and it is automatically returned by the 
simplexml_load_f ile () function. In other words, calling 
the simplexml_load_f ile () function results in the 
creation of an object of type SimpleXMLElement. 

A. 

Jr \* Surprisingly, not a whole lot. The main thing to know is that 
it exposes the elements in an XML document as properties, and 
that these properties lead to child objects that themselves are 
instances of the SimpleXMLElement object, and so on. The 
SimpleXMLElement object also has methods that allow you 
to access data within an element, such as children () and 
attributes (). 


What do I need to know about SimpleXMLElement? 
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syndication and web services 


Fang sightings are ow the rise 

While Owen has been busy brushing up on XML and figuring out how to 
communicate with YouTube, Fang has been busy. Numerous video sightings 
have turned up with the little guy apparently serving as a tour guide for his 
alien abductors. Owen is ready to finish up the YouTube script, get some videos 
showing on the Aliens Abducted Me home page, and find his lost dog. 





This XML stuff is fascinating but I 
have a dog to find. I keep hearing 
rumors about new Fang sightings on 
YouTube... I really need to get those 
videos on my home page. 


Puny 別 




The good news is that Owen is almost finished with the YouTube script. In fact, 
all that’s left is to finish processing the XML data and format it as HTML code. 

O Build c request fcr Voufcibe-videosT 

—@ — Issue - the video request to YouTube. 

—Q __Receive VcuTube's rcspor.se data 

containing informution about the videos. 

o Process the response data and format it 
as HTML code. 

Draw how you would format YouTube response data as videos 
along the bottom of the main Aliens Abducted Me page: 


Ao 乙 k ou 七七 Wis s-tep 
s£>\rip*t v/ill be dome! 
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arranging the youtube videos 


Lay out videos for viewing 


The idea behind the youtube . php script is that it will be included in the main 
index . php script for Aliens Abducted Me. This means that the youtube . 
php script needs to take care of submitting a video request, processing the XML 
response, and formatting the individual videos so that they are displayed via 
HTML in such a way that they can coexist with the alien abduction reports that 
are already on the main page. A good way to accomplish this is to arrange the 
videos horizontally along the bottom of the page. 

丁 his \row o( video 'thumbnail images 
is wha 七 "the youtube php sdvip*t is 

1 一 


Video 


Video 


Video 


Video 


Video 


TV^csc av-c Videos 
aY^dm^dlly autsstd 
VouTukc as ><ML data. 



Five video -thumbnails is a 
^urwbc\r "to hovizjOKrtally 

without takmj up -too mu 匕 h room. 




AO—ni Abd^clrd Mr 


The youtube. php 

script will be 
included so that 
the videos appear 
just below the alien 
abduction reports. 


Mkm AMucL^d Me 

JWU 咖比卿 itHiH Whli amaartamir W^yoa 域 7 Eik^y«u w»ry itJducud 


Wttcrae 

Ri^pan 杖 


^IdsC rmnl irpcirt^dl .bduclibviK 


Arranging the videos horizontally on the main page keeps them from detracting 
too much from the alien abduction reports. Also, we’re talking about arranging 
the video thumbnail images, not the videos themselves, so users will have to 
click a thumbnail to visit YouTube and see the actual video. It would eat up too 
much screen real estate to attempt to show multiple videos large enough to be 
embedded directly on the Aliens Abducted Me page. 



AtldUOWl iMI 

2006^07-]] i 
far: 

4^ mimnci 
綱 

j^bdluclcd ftin 
2bmn- 

漏抓 211 
yibdu?1«d fan 
il/UHt a urcck 

2HK>A5-]| ■ 
AThJumd ran 


McJrliald. Kc^wr 
Ata-n dMce^pLion . 1 

. ship dz; .df f ； Sail nwrmi. 

.Miclcn- MLkein 

Atk-n dHfr^pclDn: 

Huge h&adi, skirnji ajeh _ 

Shill Wttatr 

A Ben dncnoibcn 1 ； 

Them i briglrt liplu In the by a bn* of I 

A Bin dr^niptkjn 1 ： 

Chinujr liuic h^cn. had k> iti/thn. 

SoJIy JatiKK 

Afcn AtMtr^nkMfii 
gjisen wl£h Els ccfinicb 


® Ottta qiiidkut die MbdiMtikm 


This is a good spo*t *to 
sV^OY/ V-OY/ o\ video 
tVm 你 Uails so i\\ai visi*tovs 
ddr^ easily adless 你 . 
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syndication and web services 


Format video data for display 


Although a video thumbnail image is certainly one of the most important 
pieces of information when assessing whether or not a video is worth 
watching, it isn’t the only data useful for Owen’s YouTube script. For example, 
the title of a video could hold some important information about the nature 
of the video — like whether it might include a dog. The length of the video 
could also be helpful. And of course, we need the URL of the video link to 


YouTube so that the user can click on a video thumbnail to actually view a 
video. So the following information is what we need to extract from the XML 
data in the YouTube response: 

Title Length Thumbnail 



Link 


Several pieces of video 
a\rc \rc^ui\rcd ih 
ord 饮 "to fla^c YouTube 
videos oh a web 


This data forms the basis for the HTML code that displays a horizontal row of 
videos. In fact, each video in the row ends up looking like this: 


Title 

Length Link 

TK'is l*mk leads *to 
oy\ ^>u"Tubc> is followed 

video 

ov is d-lid-kcd- 


Thumbnail 


In the YouTube response data, the length of a video is specified in the seconds 
attribute of the <yt : duration 〉 tag. Unfortunately, most people don’t think 


in terms of total seconds because we’re accustomed to times being specified in 
minutes and seconds. For example, it isn’t immediately obvious that 330 seconds 
is a five-and-a-half-minute video — you have to do the math for the value to 
make sense as a length of time. Knowing this, it’s a good idea to go ahead and 
do the math for users when displaying the length of a video, converting seconds 
into minutes and seconds. 


Length 





( ^^Inutes ， 30 seconds^) 


ihtuitivc and easier 
*Po\r usc\rs -fco Uhdmtahd. 


一 I 

u 




Thai is, unless youVc 

pairi o-f the /ouTubc 

Di 代匕 "tov ^oyravn, i h 

whidh case you 6， ay\ 
post videos loh^ev* 
"thah lO mihu*tcs. 


It isn’t necessary to factor in hours in the video 
length calculation because YouTube doesn’t currently 
allow videos longer than 10 minutes to be posted. 
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complete the youtube.php script 





The youtube.php script uses PHP code to grab the top five matches for an alien abduction 
YouTube video search. It then displays thumbnail images for those videos in a horizontal row, 
with links to the actual videos on YouTube. Fill the missing code for the script, using the example 
YouTube XML video response data on the facing page as a guide. 


<?php 

define('YOUTUBE—URL', 'http :// gdata.youtube.com/feeds/api/videos/-/alien/abduction/head/first'); 
define('NUM VIDEOS', 5); 


// Read the XML data into an object 
$xml= (YOUTUBE URL); 


$num_videos 一 found = count( ); 

if ($num_videos_found > 0) { 
echo '<table><tr>'; 

for ($i = 0; $i<min($num_videos—found, NUM—VIDEOS); $i + + ) { 

// Get the title 

$entry = $xml->entry[$i]; 

$media = $entry->children('http :// search.yahoo.com/mrss/'); 
$title = $media->group-> ; 


// Get the duration in minutes and seconds , and then format it 

$yt = $media->children('http :// gdata.youtube.com/schemas/2007'); 

$attrs = $yt->duration->attributes(); 

$length_min = floor($attrs[' ' ] / 60); 

$length_sec = $attrs[' '] % 60; 

$length formatted =$length 一 min • (($length 一 min ! =1) ? ' minutes, ' : ' minute,'). 
$length_sec . (($length 一 sec ! =1) ? ' seconds':' second'); 

// Get the video URL 

$attrs = $media->group->player-> (); 

$video url=$attrs['url']; 
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// Get the thumbnail image URL 


$attrs = $media-> 


->thumbnail[0]->attributes() 


$thumbnail url=$attrs['url']; 


// Display the results for this entry 

echo ' <td style= M vertical-align:bottom; text-align : center" width= M ' . (100 / NUM VIDEOS) 


% M ><a href: 


$video url 


> 


$length formatted . ' </span><br /ximg src ； 


'<br / Xspan style= M font-size : smaller M > 
'. .' M / ></a></td>'; 


echo '</tr></table> 


else { 

echo '<p>Sorry, no videos were found. </p> 


?> 



Fed -fvee *fco 
this 

cample X/WL toAt 
while wvitmg the 
missing PUP Code- 


The video. 


^id^http://gdata. youtube. com/ feeds /api/videos/6Uibqf0vtA</id> 

<published>2006-06-20T07:49:05.000-07:00</published> — 

• • • 

〈 media: group 〉 n • in vosemite Park near Area bpc/media: title 〉 

〈media : title typ.e= plain ^ XUFOSig g y OS emite Park in 2002. Yosemite Park is very 

^lose fo e the "border bftween^Srnia and Nevada, and close to Area 51.. . </media: description> 
<media:keywords>51, alien, aliens, area, ca, California, ne vada, sxghtxng, sxg xng (| c ^) 

1 --- - ； video, \Y\ stCov\ds. 

l^^fravel " 


<yt: duration seconds:^^^ ， _ 

〈 media: category label= Travel &amp; Events / nn7/ . ■ C at ， >Travel</media: category 〉 

tvpe= ， video/3gpp 丨 medium= 'video 1 expressxon^^lX _ _ __ 

， height-97- width-130 

time: , 00:00:25 , /> 


97 ' width: 


240 1 width= 1 320 ’ 


<=H ， : f h i^^ 2 a 5 ^u > rl = ， h tt P: //im g . yOU t U b e . CO m/ V i/— 6U ib qf Q VtA / 1 .j Pg | height: 
iedfa:fhu^na'ii'url-^ttp : //img.youtube . eight: 

time: 丨 25 ’/> 、'- - - 1 

<y?!statis?ics viewCount= - 2478159 - f _ a ^ r n ^ Count= 

rating min=' 1 1 max= ' 5 1 numRaters- 1602 average 4 . / 

j — http://gdata.youtube.c_/feeds/api/videos/_6UibqfQvtA/comments ， 

countHint='4426'/> 

</gd:comments> 

</entry> 

<entry> 


The URL of 

130 ' "the video lihk 

97' width= , 130 , YouTube. 


TV^c URL 

a 灼 a’l 

“ay w) 
o( V»dco. 


</entry> 




















the completed youtube.php 



The youtube.php script uses PHP code to grab the top five matches for an alien abduction 
vr ^ # YouTube video search. It then displays thumbnail images for those videos in a horizontal row, 

with links to the actual videos on YouTube. Fill in the missing code for the script, using the 
example YouTube XML video response data on the facing page as a guide. 

0^tr!s YouTube 

<?php kcy>wo\rd scav-tV> URL. 

define('YOUTUBE—URL', ' http :// gdata.youtube.com/feeds/api/videos/-/alien/abduction/head/first 1 ) 

define ('NUM VIDEOS 、 5) ; xl L C • . » , 

I nc hurwbcv- o\ videos to be 

displayed is s-to\rcd as a 

// Read the XML data into an object 匕 _ 、 TV Joad_fllcO 

$xml = simplMoad__-fi1 1 (youtube url) ; -Pur>d*t'ioy> is used *to vc^ucs*t 

. 二 … 二 •… — ihc ><ML data ( \rom YouTube. 

$num_videos found = count ( f>Cir»\|—>c^*tv*y ) ； Chcdk *to SCC hov/ nr\dhy videos 

if ( $ num_videos_found > 0) {. — b Y 

YouTube by 七 he 

echo I <tablextr >'； o( <crrtvy> tags. 

for ($i = 0; $i < min ($num_videos 一 found, NUM—VIDEOS) ; $i + + ) { - Loop 

// Get the title video dd"t3 

$entry = $xml->entry[$i]; ry at 3 tW. 

$media = $entry->children('http :// search.yahoo.com/mrss/'); dll o-P ^hildvch -fo\r 七 his 

$ title = $ media->grou P -> 如七故 ^ ^ i, 你 oo/ 

video cr\*tvy, is stoved wdia ^amespate, media. 

// Get the duration in minutes and seconds, and then format it 〆 - dll o( "the ^hildv*C 

$yt = $media->children (' http : // gdata. youtube . com/schemas/2007 ' ) ; *fo\r "this C^"tv*y 3V*C \Y\ 

$attrs = $yt->duration->attributes (); 七七如 oUk ^ ^uTubc yt. 

^ ^ . \i\Ae.o m st^OY\ds -fv-om 

.^ ^ <y*t : dvA\ra*tio\r\> 

$length sec = $attrs [ ' sedo 的 ds ' ] % 60; ^ 〆 仏⑼ toy\VCV-b i*t *to 

$length formatted =$length 一 min • (($length_min ! =1) ? ' minutes, ' : ' minute,'). 

$length sec . ( ($length sec ! = 1) ? ' seconds 1 second'); 


// Get the video URL 

$attrs = $media->group->player-> a*t*tvibu*tcs ()； 


$video url=$attrs['url']; 



"the video Imk (URL) -fvom "the uv*l 
aiivibuic o( -the <rwcdia*playcv-> tag. 
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// Get the thumbnail image URL 

$attrs = $media-> ->thumbnail [0] ->attributes (); 


$thumbnail url=$attrs['url']; 



// Display the results for this entry 


-tKc 

URL -fv-om i\\t uv-l a-t-tv-»ku*tc o+ 


echo ' <td style= M vertical-align:bottom; text-align : center" width= M ' . (100 / NUM VIDEOS) 
'% M Xa href= M ' . $video url . ' M >'. jhi\t .'<br /Xspan style= M font-size : smaller M > '. 
$length—formatted • ' </spanxbr /ximg src= M ' • 灼 dil uvl • 1 M / ></a></td> '; 


echo '</tr></table> 


else { 


"the video \rcsults 
as a *tclblc dell with the 
video title, Ichg-th, ahd 
'thurv\bhdil 


O Build a request for VcuTube^ideosr- 
—@~Issue-the-vldso request to-VouT ab er 


echo '<p>Sorry, no videos were found. </p> 


—Q ~Receivp VouTubes response data 

eef#eHning information about the videos- 

Q Process the response data and format it 


?> 




The video. 


^id^http://gdata. youtube. com/ feeds /api/videos/6Uibqf0vtA</id> 

<published>2006-06-20T07:49:05.000-07:00</published> > 

• • • 

〈 media: group 〉 ; no in Yosemite Park near Area bpc/media: title 〉 

〈media : title typ.e= plain ^^FQSig q y OS emite Park in 2002. Yosemite Park is very 

^lose fo e the "border bftween^Srnia and Nevada, and close to Area 51.. . </media: description> 

<media:keywords>51, alien, aliens, area, ca, California, ne vada, sxghtxng, sxg xng (| c ^) 

uf o</media : __ . 0 , 

1 --- - ； -tV^c video, \y\ stCov\ds. 

I'^Travel " 


<yt: duration seconds:^^^ ， _ 

〈 media: category label= Travel &amp; Events / nn7/ . ■ C at ， >Travel</media: category 〉 

tvpe= ， video/3gpp 丨 medium= 'video 1 expressxon^^lX _ _ __ 

， height-97- width-130 

time: , 00:00:25 , /> 


97 ' width: 


240 1 width= 1 320 ’ 


<=H ， : f h i^^ 2 a 5 ^u > rl = ， h tt P: //im g . yOU t U b e . CO m/ V i/— 6U ib qf Q VtA / 1 .j Pg | height: 
iedfa:fhu^na'ii'url-^ttp : //img.youtube . eight: 

time: 丨 25 ’/> 、'- - - 1 

<y?!statis?ics viewCount= - 2478159 - f _ a ^ r n ^ Count= 

rating min=' 1 1 max= ' 5 1 numRaters- 1602 average 4 . / 

j — http://gdata.youtube.c_/feeds/api/videos/_6UibqfQvtA/comments ， 

countHint='4426'/> 

</gd:comments> 

</entry> 

<entry> 


The URL of 

130 ' "the video lihk 

97' width= , 130 , YouTube. 


TV^c URL 

a 灼 a’l 

“ay w) 
o( V»dco. 


</entry> 


























aliensabductedme — now with youtube videos! 




Tqst DriVq 



Add the YouTube script to Aliens Abducted Me. 

Create a new text file named youtube . php, and enter the code for Owen’s YouTube script from the 
previous two pages (or download the script from the Head First Labs site at www. headfirst labs • 
com/books/hfphp). You still need to plug the script into the index . php script to turn YouTube 
videos loose on the main Aliens Abducted Me page. Here are the two lines of PHP code to do it: 

echo 1 <h4>Most recent abduction videos : </h4> 1 ; 
require once('youtube.php'); 


Upload the scripts to your web server, and then open index . php in a web 
browser. The bottom of the page should show a dynamically generated row 
of YouTube video links that are related to alien abductions. 


-the 

youtubephp 
sGrip 七 m -the 

paje is 

all it takes -fco 
add "the irow o( 

dlien dbdud 七 ioh 
videos. 


V^uTubc videos 
have helped 
h^vv-ow 
s lo^atioh. 


0^0 


Abduced 



Aliens Abducted Me 

卿 L 艸 W m 獅哪娜撕 _? W 师艸 ibd 咖 ™ my 咖柳 d 岭 

li hwil 

Mnvl nvt'iiL n，|nirtwt iihdurtinttu 

SOOS.IIS: McLnlwLd Kwsjum 

Abdu^rdftiiri Alien 

H houev ill s slup slic w a iull mexfo 

JQCSMVT.II : Midtey Mlkeas 

AtMlUOHl mi A ㈣ dfMflpUOB: 

43 mlmjKi..Jird wuraUis hc*ds, si:lr』>. ijnii and 邮 

2Ma-tf7-BS : ^hiO Watner 

ahrfiiried for- Allan drHTijilMin ： ， 

2hpun ^ ihoc >hci^hLligihtin the Mkvwcd W »l«Hc nr 

2008 抓 21: IkILtu Chi：”* 

Atmiitttd fwt AWlS d*4«S(HHlEi ； 

alHMKi a wKk. ^iLUBiSj 1 Wnlc ljuggcWi no rhyiftm 

200SM15-11 : Silly ioincs 

Alk-ia dfACTiplinEif 

W Jill MX LcnlidH 


AhdiKttd fiop= 

L d ay 


FmW\^ ApOUrf ： 

ibam 角 

&Q 



O Clkk tlK- aMusIkin news f«dr 

>Sa<it m'vnL Mlidyction »kl«tv- 


UfO Spirittii CnuAiini; ABtrn^ Lurr f »re «F 
Vmrij ■! <jrKxlud!! SpfclM Int^ 

Cl m[nuln,l 4 newt 0 minulCTp 


1>0* KUesfin Ul'TJ , , 

EIdi erinis N™r WO Spol^K^mr _*u* B r 

EBfc[Tniwr3 VHK 


tTuncbct!^ 


|：| minulo. 圓 一 
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you found fang! 
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Your PHP 备 MySQL Toolbox 

With Fang now accounted for ， it’s 
possible to reflect a little on what all 
it took to track him down. As it turns out ， 
PHP and MySQL required some help from 
a few other technologies. 


>< 亂 

^tr\c markup la，ay used 
provide a ^v-cd^lablc sbrUUrtXfi 

da-ta. Ucv-c arc 叫 
mark 叶 la，ap Wilt W ><MU 
su^ as 沖丁亂 ad 
idea is -b^a-b you crtait a set o\ 

七 ay s^\c -to v/^atever da-ta 

youVc stov"»v\^ as 

s impleanl_ioad_fii 7 ^ 

1^7 p / p Wi 。山山 

a, XML Uc a URL, 

h ihc … ulii h3 〆槪 

^ aUCS5iblc 。b〆 


啦 T 

“咖 s d 似 S—— 

URLs. RBT allots 70U ^ ^ 
? o^U data versts W 

VC^ACsts* 


R££ 


/\h XAIL—based used *fco 

s*to\rc syhdidatcd dohtcht, sudh as 
hews s-fcov-ics. RSS alloy/s y/eb sites 
b> make theiv- data available b> 
o*the\r applidatiohs 3hd v/cb sites 
-fo\r syhdida 七 ioh, 3hd allov/s you 
■to -take advah-tage daia made 
Available by o*thc\r sites. 



SimpleXMLElement 

A buil*t-m PHP object 七 V>a 七 

is used *bo attess )(ML- da*b3* 

TWis object is vcW^cd by *tKc 
sim^loa1 C() -fuy>d*tioir>, 

ay >a tonlams 七 ^ cyrtive dodumcr>*t 
Wicva\rdV>Y C^f ar> ></WL do6_ ⑶七 . 


/^amespade 

A way o-p o\rgahiz.ihg d set 

X 々 IL *t^gs ih*to d lo^iddl gvoup, 
so\rt like how youv last hdme 
ovgahiz^s youv -family i h *to a 
hamcd y ou P. A hamespade is 

always associated with a URL, 
whid “ Chsuves Uhic^uchcss amohg all 
othev hamcspadcs. 
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appendix 1 ： MtoVers 餐 

▲ The Top Ten Topics. 
+ (we didn^t cover) 



Even after all that, there’s a bit more. There are just a few more 
things we think you need to know. We wouldn’t feel right about ignoring them, 
even though they only need a brief mention. So before you put the book down, 
take a read through these short but important PHP and MySQL tidbits. Besides, 
once you’re done here, all that’s left are a couple short appendices... and the 
index... and maybe some ads... and then you’re really done. We promise! 


this is an appendix 
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retrofit your php code 


# 1. Retrofit this book for PHP4 awd mysql fuwctiows 


With the exception of XML functions in Chapter 12, most of the code in this book will run on 
PHP 4 servers with only a little modification. We’ve used the mysqli family of functions in this 
book, which are only available in PHP 4.1 and later, and since the library has to be manually 
installed, some servers won’t support mysqli. 

Mysqli functions are generally faster, but this really only begins to matter when your database 
becomes huge. Small or average databases won’t be perceptibly slower with the older mysql 
functions. This section is designed to tell you how to retrofit your mysqli functions to work as 
mysql functions with older versions of PHP. 

If you see: 

$dbc = mysqli 一 connect(localhost, 'mork', 'fromork'); 

mysqli 一 select— db($dbc, 'alien_database'); 

you’ll use: 

$dbc = mysql connect(localhost, ’mork', 'fromork'); 



mysql select db('alien database ’， 


as _七 is wi 七 h rwysqli 一 seled: 一 dbO. 


In general, you just remove the i from mysqli, making it mysql, and then swap the order of 
the arguments so that the database connection variable ($dbc in this example) appears last. 

But it gets a little trickier when the mysqli_connect () function sidesteps mysqli_ 
select_db () and uses a database name. There’s nothing quite like that in the mysql family of 
functions. For the single mysqli_connect () function that uses a database name, you’ll need 
two mysql functions. 

If you see: 

$dbc = mysqli connect(localhost , 'mork', 'fromork', 'alien database'); 



Hcvc database is 
selected as pav-t <^f maknr^ 

is^*t possible m ov\t 
s*tcp mys … 


you’ll need to use two commands: 


$dbc = mysql 一 connect(localhost, ’mork', 'fromork 
mysql select db('alien database', $dbc); 





also ds d dd'tsbasc 

已 orme 乙七 icw w l’mk. 
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Here’s how mysql and mysqli functions match up. 


Close MySQL 
connection 

mysqli close (conn) 

mysqli close(conn) 

Open a 

mysql connect (host, username. 

mysqli connect (host, username. 

connection to a 

password) 

password, database) 

MySQL server 

You must use mysql select db () to 
select a database. 

You don’t need mysqli select db () to 
select a database. 

Return the text 

of the error 
message from 
previous MySQL 
operation 

mysql error(conn) 

mysqli error(conn) 

Escape a string 

mysql escape string(string, conn) 

The order of arguments is opposite, expects 
the string, then the connection (link). 

mysqli escape string (conn, string) 

Expects the connection (link) followed by the 
string. 

Fetch a result row 

as an associative 
array, a numeric 
array, or both 

mysql fetch row(result) 

mysqli fetch row(result) 

Get number of 

rows in result 

mysql num rows(result) 

mysqli num rows(result) 

Execute a 

MySQL query 

mysql query(conn, query) 

mysqli query(conn, query) 

Escape special 

mysql real escape string(string. 

mysqli real escape string(conn. 

characters in a 

conn) 

string) 

string 

The order of arguments is opposite, expects 
the string, then the connection (link). 

Expects the connection (link) followed by the 
string. 

Select a MySQL 

mysql select db(dbname, conn) 

mysqli select db(conn, dbname) 

database 

The order of arguments is opposite, expects 
the string, then the connection (link). 

Expects the connection (link) followed by the 
string. 


you are here ► 
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User permissions m MySQL 

Suppose you’ve created a web application that only allows visitors to SELECT data from your table. You perform 
queries on your data using a specific database, and MySQL gives you power over your data. 

But consider this: the login and password you use in your mysqli connection string would, if connected directly to the 
database via the MySQL terminal or GUI, allow the user to INSERT, UPDATE, and DELETE data. 

If your application doesn’t need to do those things, there’s no reason why the user/password you are using to connect 
with needs to be able to. With MySQL, you can limit the access to your database. You can tell MySQL to only allow 
the user to SELECT. Or SELECT and INSERT. Or any combination you need. 

And what’s even more impressive, you can control access to specific tables. For example, if your application only works 
with a table called alien—inf o and doesn’t need access to the cyborg_inf o table, you can limit it. 

First, you may want to create an entirely new user/password to be used for your application. You can do this in the 
MySQL terminal: 

I File Edit Window Help Aliens! 


mysql 〉 CREATE USER alienguy IDENTIFIED BY 'aliensRsc4ry f ; 
Query OK, 0 rows affected (0.07 sec) 


Then you can use the MySQL GRANT command to control what alienguy can do to your database. If 
he only needed to SELECT and INSERT data into your database, this would work: 


File Edit Window Help TheyLive 


mysql 〉 USE alien—database; 

Database changed 

mysql 〉 GRANT SELECT, INSERT ON alien—info TO alienguy; 
Query OK, 0 rows affected (0.03 sec) 


If you don’t like using the MySQL terminal to create users and set privileges, you 
can download and install a handy program caled MySQLAdministrator. Get it 
here: http : / /dev. mysql. com/down loads/ gui-tools/5.0, html. 


You can set very specific user privileges, even control wkat your user 
can do to a speciiic column. To learn more, ckeck out Head First SQL. 
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The MySQL Administrator lets you control your user accounts and what each user account can access 
in your database. It even allows you to specify which kind of queries that user can perform on each 
table in your database. To control the access every user has to each table and each query, open the 
MySQL Administrator application, and click on the Accounts tab. 

Here’s the interface and an overview of how to control what each user can do. First, create an account: 






^ ^ ■ 


Fivsi, didk A^ou^ts. 



Pfb^rpwi 
In I 




ML 




iu|uriiii3l%a I 


TKcv> use 七 IVis 
butto 灼 *to add 

a y>c>w addouv>*t- 




EXukI 


A-ftcv* you yve youv- 
new USCV" d l^amC d^d 3 
\j>assvio\rd, dlidk this *to 
^RANT him pv-ivilejes. 


Here is youv list tables m d yv ⑼ database- 
Select i\\t ov^t youv affkatio” is usm^. 


J his is yo ulr useHist 

VW 釙 ⑽ £ c hcw 

the to^hro\ ' 
^t\\ has -Po^ c 

y Se.ccx 

thcoh Cyouw ^^ 

你 od 4 y hc^c. 



r\ r\ rn 


Ae 鑫 fruiltft — i«fllhD , i! ini i«h«l 

m ° @ HI Jl _ i 幽 S 

㈣ Isvi、Wilffi Rirlim 


InhumrirlirHi ^rnricr □rrHonf Ar-tnijnll ^ 



C n rjl Ech^mi Pirlvllffgp-E 

mywatUpp^-lEKJltUHCt 

i^hema Idjtjb4i0 L^nnscEiDn prrvikgc% lo Ihc u&cr. 


&Cht^U yl/ 

lnform.iEI[m n ^s;lw 

J blh^l^ 
phM^mr# 
Amyiql 
■- rS^kyJcb%. 

；ni iT 


A3.f FfA- ： <gei! 




PPl%HKC 3 
r ： 此 t 
_ Infill 

争 DflW 
爭 Ct^uip 

申 Cnnc 

_ Rj^r#Ar#f 

Indus 

flAlber 

T* a CrF4lC .!mp Jibil 

染 LodCflUci 
辛 CmLlc.¥lew 

ihiM.vlEW 

免 trei^e-iouL^ne 

^Hlff.rquCInf 

争 iNKUtC- 





Diicjrd Oiflrrgfcn 


Save Oidpngu 


|-f you look 
七 V>vo— 七 IVis list, 
you’ll vcdo^izjC 
tKc mdrn MyS^L 
s*ta*tcmc»r>*b you’ve 
sttr\ \r\ *tK'is 
book. Select only 
*tKc oy\cs youv 
application y>ccds 
*to v/ovk- 
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mysql error reporting 


Error reporting for MySQL 

In many of our code examples, you’ll see lines like this: 

mysqli—connect(localhost, 'mork', 'fromork') or die ('Could not connect.') 

When this command fails, the words “Could not connect.” are displayed on the web page. It tells us that 
something went wrong, but it doesn’t give us information beyond that. 

Fortunately, PHP offers a function, mysql_error (), that will give us a clue as to exactly what went 
wrong. Consider this code where we are trying to connect to a MySQL server that doesn’t exist: 

<?php 

mysqli 一 connect('badhostname', 'mork', 'fromork') or die (mysqli 一 error()); 

•?> 

Wtrts *tV^c cv-vov 

Unknown MySQL server host * badhostname * (1) you ll see* 

This will return clear information as to what actually went wrong when the mysqli—connect () 
function fails. You can also use mysqli_error () with other mysqli functions: 

<?php 

$dbc = mysqli—connect('localhost', 'mork ', 'fromork'); 



Here are some other error messages you might see: 

Table 'test•no_such 一 table' doesn't exist 

Can't create table 

Can't create database 'yourdatabase'; database exists 

Can't drop database 'yourdatabase(; database doesn’t exist 

There are dozens more, and it would be a waste of paper to list them here. Browse on over to this site to 
get more information: 

http :// dev.mysql.com/doc/refman/5.0/en/error-messages-server•html 

If you’re retrofitting your mysql functions, as mentioned in #1, you can use 

mysql error () instead of mysqli error () 
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# 4. Exception handling PHP errors 


Exception handling allows you to change the normal flow of your code 
and execute a special block of code when a specific exception occurs. 
PHP 5 and 6 offer exception handling. Here’s a brief introduction. 


Let’s say you want to withdraw S200 bucks from an ATM. 

But maybe you’re required to have a minimum balance of SI 000, 
and this withdrawal will put you under $1000. That isn’t allowed. 

Transaction failed! 

Here’s how this scenario might play out in PHP code with the 
help of exception handling to catch the failure. 



<?php 


function checkBalance($balance) { 
if($balance < 1000) { 

throw new Exception("Balance is less than $1000.") 


/ 


s -the -feedback well 
s Chd out i-p ou\r is 

less thah IOOO. 


return true; 



TV^c w *bY blotk is used 
-bo -tes-t ouv- value y/i*tKou-t 


ou\r 

checkBalance (999) ; - - - 


echo 'Balance is above $1000.'; 


catch(Exception $e) { 


echo * Error : ' . $e->getMessage(); 


?> 


ouv odduv-s, v/c 

^ _ _ ^ c>ccdu*tc the todt \y\ this blodk. 

I 的 this tBst, wc Cdho ouv message- 


When the code runs, you’ll see this: 
Error : Balance less than $1000. 


you are here ► 
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exception handling in php 


# 4. Exception handling PHP errors (cowt.) 

Exception handling consists of three blocks of code: 


1. Try - This block is where you check to see if your value is what you expect it to be. 

If it is, everything is great, and your code continues on its way. If not, an exception has 
ocurred. In programmerese, an exception is “thrown.” 

And when something is thrown, there needs to be something to catch it. If there is an 
exception, the “catch” block code is executed. If not, the code will continue as normal. 


2. Throw - The “throw” commands 
the “catch” block and sends it an error 
message. Each “throw” has at least 
one u catch.” 



<?php 

function checkBalance($balance) { 
if($balance < 1000) { 

throw new Exception("Balance is less than $1000.") 


return true; 


3. Catch - An object is created 
with the exception information. 
More information on objects, on 
the facing page. 


try { 

checkBalance(999); 
echo 'Balance is above $1000.'; 

} 

catch(Exception $e) { 

echo * Error : * . $e->getMessage() 


?> 
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巧 . Object-oriGwtcd PHP 


Object-oriented languages use a very different progamming model than their procedural 
counterparts. You’ve been using PHP procedurally, but it also has an object-oriented side. 
Instead of a chronological step-by-step set of instructions, particular structures become 
objects. Objects include not only a definition of your data, but also all the 
operations that can be performed on it. When you use object-oriented PHP, you 
create and work with objects. 

Before we discuss why you might want to use OO PHP, let’s write some: 


o Write your class. 


class Song 

{ 

var $title; 
var $lyrics; 


TKcsc ms 七 

^ vaviaklcs. 


function Song($title, $length) 
$this->title = $title; 
$this->lyrics = $lyrics; 


This sets the title 
ar>d lyvids o( d soh^ 
y/liCh v/c dv-catc oy\c- 


This is a method 栎 a 七 uses i\\t 
variables Jc object 


function sing() { 

echo 'This is called ' . $this->title . '.<br / > 

echo 'One, two, three...' . $this->lyrics; 


This is ou\r 
dlass dc-rmcs 
ou\r ob\cdt 

V 



❺ Create a new object. 



0 \ay so% has the value w Blue 
Suede SiioCS^ -fov i*U ir\amc. 


$shoes_song = new Song(* Blue Suede Shoes', 'Well it\* s one for the money.• 
$shoes song->sing(); 






ttevVs wc e,a\\ -the sihgO 

-PoV" ou\r 乙七 . 


❺ Your song can sing itself! 

When you run this code, you get this: 








T 


This Is CAlV^d Blue 5yede 

One, Iwn, th ree.. .We 11 it's nne for iki 1 

monev，... 


But if you can just write the echo 
code without all the object stuff, 
why use OO PHP? 


There are some great reasons... 
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巧 . Object-oriGwtGd PHP (cowt.) 

Instead of a chronological step-by-step set of instructions, your data structures 
become objects. Objects include not only a definition of your data, 
but also all the operations that can be performed on it. In our Song 
example, we set the title and lyrics of the song inside the class, and we create 
the sing () method inside the class. If we needed to add more functionality 
to our Song object, we’d add new methods and variables to our Song class. 

For example, if we wanted the songwriter for each song to be associated with 
each song object, we could add that as a variable in our class. 

The power of OO really shines as an application grows. Suppose we decided 
to use the Song class as part of a karaoke application with hundreds or even 
thousands of individual song objects, all with their own unique titles, lyrics, and 
songwriters. Now let’s say someone wants to choose from only songs that were 
written by Elvis. All we’d have to do is look at the songwriter instance variable 
of each object. 

And to actually feed the lyrics to the karaoke application? We could just call the 
sing () method on each song object when it is being performed. Even though 
we’re calling the exact same method on each object, it is accessing data unique 
to each of the objects. 

So iwo big advantages of using Object Oriented PHP arc: 

Objects can be easily reused. They are designed to be independent of the code 
where they are used and can be reused as needed. 

The code is easier to understand and maintain. If a data type needs to change, 
the change occurs only in the object, nowhere else in the code. 


A big disadvantage is that, in general, OO code can be longer and take more 
time to write. If you simply need to display the lyrics from one song, then 
writing a small procedural program might be your best bet. But if you think 
you might want to build that online karaoke app, consider diving further into 
object-oriented PHP. 
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# 6. Securing your PHP application 


There are some simple steps you can follow to protect your PHP scripts from those 
nefarious hackers that are crouched over their keyboards waiting for you to slip up. 




Remove phpinf o () references. When you first start building PHP 
applications on new web servers, you’ll probably create a script that 
contains the phpinf o () function, so you can see what version of PHP 
you are using and if it has MySQL support, along with a list of other 
installed libraries. It’s fine to check with phpinf o (), but you should 
remove that function after you’ve taken a look. If you don’t, any hacker 
out there who discovers a new PHP vulnerability will be able to see if 
your site is susceptible to it. 

If you aren’t using a web hosting service and have access to the php . ini 
file, there are a few changes you can make to it to further secure your 
PHP applications. Ironically, the location of your php . ini file can be 
found by using phpinf o () : 





pfipinFoO 


jpHP Version S,g.1 、 


syiiwn 


POT ?OMi nwfl'Sllpl 


WiPrtJunie 
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卜鳩 MK onsr '-dsaaia-liH* • 

SerwrAPI 

CGDTaslCGI 

Vlriunl DlirMtQry 
Sumwn 

Conrigumten Fite 

dbutbhri 

/uarflac* 加 cWPSW-W - -- 

牌 P.KIU PlWl 

PHP API 

£0044225 

PHP EKHrntlfHl 

2W6W13_ 

Z«ndi Enenikin 

Cwbug Quihd 


w - - - 

Tlimnd fiiifcty 

ril-yibEod 

lend Mcmaiy 
他鬥呼 r 

nrkitilixl 

IPv6 仙口 pen 

IdlsaNid 

Reqitnnd PUP 
StTiBITW 

Dtv. m 側 a ； hec.tip. Mmpf83a.Bifc 

RnQinmd sinfem 
Trai»port& 

HJft odp. LWlK. 

n«gla.ttnd airtim 
niti?ri 

stnng.rDiJiai elnwtoijfHwn s^nr^j.tolo^af tlrfru ifllp cwveit, ■ w^ufnea. zi^i 


*tV>c fa 七 h 

-to youv fhf 'm'i -Pile- 
you >wvi*tc 
•rt Ao^y\) vemembev- 
*to delete 七 he 
fhfm-foO -Pur>d*tior>. 


Tide’s move 
sensitive 
•nrvfovma 七 I 。灼 
-fuirthcv do^iY\ 
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php security measi/res 


# 6. Securing your PHP application (cowt.) 

Here are some specific settings you should consider changing in the php . ini file. 
Open the file in a text editor, make the changes, save them, and then restart your web 
server. 

safe_mode — On 

When you turn on saf e—mode，no PHP scripts can be called by another script with 
a different owner on the same web server. Obviously, if you need to allow scripts from 
other owners to call yours, you can’t use this setting. 

open—basedir = directory[ : ...] 

This restricts the scripts and files that PHP will be able to execute or access to this 
directory and subdirectories beneath it. 

expose_php — Off 

With this set to On, every web browser that visits your site will be sent header 
information that reveals information about you PHP server. Turning it off hides that 
information and makes your server a little less exposed. 

display—errors = Off 

Once you’ve developed your application and are running it on your live web server, you 
don’t need to see all those error messages. Hopefully, you’ve already addressed errors, 
but sometimes things slip through the cracks. To hide the error messages from site 
visitors, set this to Of f. 

log_errors — On 

This sends your errors to an error log. When you want to check your application 
for errors, this is a good place to begin. With display—errors set to Off and 
log_errors set to On, you’ll be able to see problems, but your site’s visitors won’t. 

error_log = filename 

You’ll have to check with your particular web server software to locate this file. This is 
where your errors will be written when log errors is set to On. 
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# 7. Protect your app from cross-site scripting 

You may have heard of cross-site scripting sometimes 
referred to as XSS. Gross-site scripting is an attack against 
a web app where script code is passed to your form 
processing script and hijacks your output. It’s a big security 
problem in PHP web apps. Let’s take a look at precisely 
what it is and how to defend against it. 

Gross-site scripting usually takes advantage of sites that 
display user-submitted data. Any data you get from your 
users and display could potentially be corrupt and cause 
visitors to your site to be vulnerable to a hacker. 


Using an XSS attack, a hacker can do any number of 
things. One of the worse is to redirect your results page to 
a page on a site under their control that might ask the user 
for further information. Your user might not notice that 
he’s no longer on your site, and since he trusts your site, he 
might willingly submit sensitive information directly on 
the attackers server. 

Here’s how it might happen on the Guitar Wars site: 

Ethel, instead of submitting her name in the Name 
field on the form, types in some JavaScript code. In the 
example, she’s using the window. location function 
to redirect the browser to her own site. And since she 
controls her own site, she can show the visitor anything 
she wants, including a site that looks just like Guitar Wars. 
She could do something even more nefarious with sites 
that expect people to submit more important information 
than high scores, such as financial information. 

There are other, even more insidious things that she could 
do, including stealing cookies or presenting the user with 
a screen that appeared to be a login screen. As soon as the 
user logs in, she has his username and password and can 
pretend to be him back on the original site. 

So how do you avoid cross-site scripting attacks on your 
web applications? 


f) no wart - Your Hloh Scora 



Ethel 乙 ah’t dlicat, 

she’ll the scores 

"to oy/h site 

with d\ross-sitc sdv-iptihg. 


You thought you 
foiled me. Tm going 
to hijack your site, 
and you re going down! 



o 



<script language:” 
javascripf>window. 
location=”http://ethelrulz. 
com”;</script> 


^11 sV\c Kas *to do is submit 
•tWis toAt m "f ield 

oy\ someone 

viev/s i\\t stove, 
bvov/sev* v/*ll 

*bo v/cb s»*tc tWis 
JavaStv-*ip*t Code- 
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# 7. Protect your app from cross-site scripting (cowt.) 

Fortunately, if you are validating your data, you are already on the road to protecting your 
application. You’ve already learned how to do just that in Guitar Wars. Here are three 
guidelines that will keep your applications safe: 

Validate everything 

Any data that you receive, such as form input, needs to be validated so that hacker code is 
detected before it can harm your application. If you assume the data is bad until you prove that 
it’s not through validation, you’ll be much safer. 


Puilt-iw PHP functions caw help 

Use built-in PHP functions such as strip—tags () to help you sanitize external data, 
strip—tags () is a great function that removes any html tags from a string. So if you use 
strip—tags () on Ethel’s $— POST [ ' name ' ], you’ll end up with this: 

window.location= ! http :// ethelrulz.com' 

While this is still not a name, it won’t actually redirect the browser because the important 
JavaScript tags have been removed. 


I?ata is guilty until proven innocent 

Start with the most restrictive validation you can, and then only ease up if you have to. For 
example, if you begin by accepting only numbers in a phone number field, then start allowing 
dashes or parentheses, you’ll be much safer than if you allowed any alphanumeric characters 
in the first place. Or in the case of Guitar Wars, if we don’t allow anything except letters in 
the name field, we’ll never even get the less than sign (<) that opens Ethel’s evil JavaScript code. 
Regular expressions (Chapter 10) can go a long way toward making sure only the exact data you 
want is allowed. 
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# 8. Operator precedence 


Consider this line of code. 

$marbles =4/2-1; ^ 


H will be /. 


The value stored by $marbles could be either 1 or 4. We can’t tell from the code, but we can assume 
certain rules of precedence. By precedence, we mean the order in which they are executed. 
Operators in PHP are carried out in a certain order. In the example above, the division will take place 
before the subtraction does, so $marbles will equal 1. 

Depending on what we need our code to output, we could have written it two different ways 

$marbles 二 (4 / 2) - 1; 

$marbles = 4 / (2 - 1); 


In the first expression, we divide 4 by 2 and then subtract 1. In the second case, we subtract 1 from 2 and 
then divide 4 by the resulting 1. Using parentheses allow you to precisely control the order of operations. 
But knowing the precedence of operators in PHP can help you figure out what’s going on in a complex 
expression. And, trust us, it will help you debug your code when you’ve forgotten to use parentheses. 

Before we get to the PHP operator precedence list, here’s another reason why you should use parentheses. 
Consider this: 

$marbles = 4-3-2; - |*t Will be -I - 

No precedence rules apply here. The result could be either 3 or -1. This is pretty confusing when you’re 
writing code. Instead, it’s better to code with parentheses, like in these two lines: 

$marbles = 4 - (3 - 2); 

$marbles —— (4-3) - 2; 

Now the list, from highest precedence (evaluated first) to lowest (evaluated last). 


Operator 

Operator Type 

++ —— 

increment/decrement 

*/ % 

arithmetic 

+ - . 

arithmetic and string 

<<=>>=<> 

comparison ^ - - - 


comparison 

&& 

logical 

II 

logical 

一 + —-一 *一 / 一 •一 &一丨一八一 

«= »= 

assignment 

and 

logical 

xor 

logical 

or 

logical 



Com\>av-'»soy\ 
opev-a-tov-s, like 
•tViosc you use m |F 
also 

V^ave a yrcCcdcUc 
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php 5 versus php 6 


# 9. Whaf s the difference between PHP 5 awd PHP 6 

As of the writing of this book, PHP 5 is the latest production version of PHP. But PHP 6 is 
being worked on and is available for developers here : http : / / snaps . php . net/. 

The differences between PHP 4 and 5 are much greater than between 5 and 6. In many 
ways, 6 offers a refinement of the object-oriented features introduced in 5. Other changes 
include more support for XML and Unicode. 


More Unicode support 

Suppose your application needed to output text in Greek. 
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Consider the kinds of things you sometimes have to do with strings, such as needing 
to know the length of them or sorting them. It’s straightforward in English, but 
when you are working with characters in other languages, string operations become 
more complicated. 

Unicode is a set of characters and technologies to encode them. In Unicode, the 
Greek character that looks like a triangle has a specific numeric value assigned to 
it, along with other characters in other languages. Unicode is a standard, which 
means it receives wide support from major technology providers. In Unicode, every 
character has a unique number, no matter what language, program, or platform 
is used. Before the advent of PHP 5, PHP had no real support for Unicode. PHP 
6 has enhanced support for Unicode strings in its functions and functions built 
specifically for creating and decoding Unicode. 
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# 9. Whaf s the difference between PHP 5 awd PHP 6 (cowt.) 


OO refinements, XML support and other changes 

PHP 5 offers an object-oriented programming model but still allows for the 
mingling of procedural style. PHP 6 moves farther into the object-oriented 
realm. One of the biggest changes here is that dynamic functions will no longer 
be permitted to be called with static syntax. There are any number of small, but 
important, changes to the way PHP handles its OO code that make it more 
consistent with other OO languages such as C++ and Java. 

A few other changes are: 

■ Both XML Reader and XML Writer will be extensions in PHP 6, making it 
easier to work with XML files. 


bloY\t o( 七 he dodc m 七 iVis 
book uses dyr>amit 
so you do^-t Kavc *to >wov-vy 
about any o*f 七 dodc r\oi 
m PftP 厶 . 


■ The register_globals, magic—quotes, and safe—mode options in 
the php . ini file will no longer be available. 

■ The ereg extension, which provided another way to build regular expressions, 
is removed. Fortunately, the same preg—match () code covered in this book 
will be the main way to build regular expressions in PHP 6. 

■ A 64-bit integer type will be added. 

■ Multi-dimensional arrays will be able to use f oreach. 

■ Version 6 of PHP is, more than anything, a version that cleans up and refines 
the language. 
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# 10. Reusing other people's PHP 


It’s not always necessary to write your own PHP code from scratch. 


Sometimes it’s best to reuse someone else’s. The following are several 
popular and highly successful PHP-based software packages that you 


should consider using if you have a need and would prefer not reinventing 
the PHP wheel. Oh, and they’re all free! 


Prupal 

One of the most impressive PHP projects to date, Drupal is 
a powerful content management system that can be used to 
build just about any kind of content-driven web site. NASA, 
The Onion, the Electronic Frontier Foundation, and Popular 
Science all use Drupal for their web sites. It’s flexible enough 
to build just about anything that is heavy on content. Check it 
out at http : // drupal. org/. 

php 卵 

A category killer in the realm of online message boards 
(forums), phpBB is easy-does-it when it comes to building your 
own forum. It is extremely flexible and hard to beat at the one 
thing it does so well — managing threaded discussions. Find 
out more at http : // www. phpbb . com/. 

Coppermine Gallery 

If image hosting is what you have in mind, Coppermine 
Gallery is the PHP application to check out. In an era of 
Flickr, Photobucket, Shutterfly, and Snapfish, hosting your 
own photo library sounds downright quaint. But with control 
comes power, and if you want complete control over your 
photos, take a look at Coppermine Gallery at 
http :// coppermine-gallery.net/. 



Hold it right there! Why 
bother learning PHP if 
you re just going to reuse 
other peoples code? 


O 


A^o*tKcv v-cally ^ 
PttP-kascd tcm 七⑶七 

眯⑼七 system is 

Joomld!> y ou ^ 
lcav-y\ about a 七 
Vvbtp://v/y/v/.joomlaov*^/- 



WordPrcss 

One of the heavy hitters in the blogosphere, WordPress is 
PHP-based blogging software that lets you build and maintain 
a blog with minimal hassle. There’s lots of competition out 
there, so you might want to do some exploring, but you could 
do worse than to pick WordPress if you’re launching a blog. 
Download it at http : // wordpress . org/. 


Because reusing code isn’t always 
as simple as it sounds_sometimes it 
requires PHP skills. 

Many PHP software packages still require 
customization, and that often requires some strong 
PHP development skills. Not only that, but you 
may elect to only reuse a small component of 
someone else’s code, or not reuse it at all. Either 
way, by having PHP knowledge, you have options, 
and options are always a good thing! 
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肴 

A place to play 





He thinks I*m a great cook, 
but I hide all my mistakes 
before he sees them. 


You need a place to practice your newfound PHP and 
MySQL skills without making your data vulnerable on 

the web. It s always a good idea to have a safe place to develop your 
PHP application before unleashing it on the world (wide web). This appendix 
contains instructions for installing a web server, MySQL, and PHP to give you 
a safe place to work and practice. 


this is an appendix 731 


installing php & mysql locally 


Create a PHP development Gwvirowmcwt 


Before you can put your finished application on the web, you need to 
develop it. And it’s never a good idea to develop your web application on 
the Web where everyone can see it. You can install software locally 
that lets you build and test your application before you put it 
online. 


There are three pieces of software you’ll need on your local computer to 
build and test PHP applications: 

1. A web server 

2. PHP 


3. A MySQL database server 


PHP isn’t a server; it’s a set of rules that your web server understands 
that allow it to interpret PHP code. Both the web server and the MySQL 
server are executable programs that run on a computer. 


Keep in mind that we’re talking about setting up your local computer as 
a web server for PHP development. You’ll ultimately still need an online 
web server to upload your finished application to so that other people 
can access and use it. 


scv-vcv so^*tv/av-c s\aCM as 

is vc«\uivcd *to SCV-VC 
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The MySdJL database 
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as the web scv-vcv- 
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you\r lo^al 


Server computer 



d PHP 
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as a scv-vcv- 
-Po\r the fuv-poscs 
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*to vuir\ PHP s^rifb. 


Find out what you have 

Before trying to install any of the pieces of the PHP development puzzle, 
your best bet is to first evaluate what you already have installed. Let’s take 
a look at the three pieces and how you can tell what’s already on your 
system. 

The platform of your local computer makes a big difference when it 
comes to what’s already installed. For example, Mac OS X has a web 
server installed by default, while most Windows computers do not. 


NOTE: This appendix 
covers Windows 2000, XP, 
Vista，Windows Server 
2003/2008, or other 32-bit 
Windows operating system 
For Mac, it applies to Mac 
OS X 10.3.x or newer. 
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Vo you have a web server? 

You probably already have a web server if you are using a newer PC or 
Mac. To find out quickly on either system, open a brower window and 
type http : / /localhost in the address bar. If you get an introductory 
page, that means your web browser is alive and well on you local machine. 



K you have a Mac or IMhdows 
你 adhihe with the Afddhe web 
scirvcv" ihs^llcd ； you see 
somethihg like this. 




l-f you iiave d l/V'mdov/s 

||S, you 你 i # 七 

sec "this. 


Po you have ?W! Which version? 


If you have a web server, you can check to see if you have PHP installed very easily, as 
well as which version you have. Create a new script named info . php and type this in it: 

<?php phpinfo (); ?> 

Save this file to the directory your web server uses. On Windows it’s typically: 

C : inetpub/wwwroot/ 

On the Mac, it’s usually something like: 

/Users/yourname/sites/ 

If you try to open this file in your browser by typing http : / /localhost/info . php, 
you’ll see something like this if you have PHP installed: 



version 

PttP you have ms-tallcd- 
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checking your mysql version 


Vo you have MySQL? Which version? 

On Windows, you can tell by opening the Control Panel —> Administrative Tools —> Services.. 



tteve s y/iicvc 
you’ll see MyS($L. 


To determine if you have MySQL on the Mac, open your terminal and type: 
cd / user/local/mysql 

If the command works, you have MySQL installed. To check the version, type: 


"The AlyS^L Tcv-mihal 

is also khov/h as -the 

/WySdJL 


mysql 

l-P *tWs 

sutdccds, *l*t 

is 'ms'boilled- 


File Edit Window Help IHeartPHP 


$ cd / usr/local/mysql 
$ mysql 

Welcome to the MySQL monitor. Commands end with ; or \g. 
Your MySQL connection id is 3 

Server version: 5.0.51b MySQL Community Server (GPL) 

Type 丨 help; 1 or 1 for help. Type f \c r to clear the buffer 
mysql> 


Commands end with ; or \g. 


Weve’s 七 he vcv*sioK> 

o( 

have 


/VlySdJL you 

t ms-talled- 
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set up a development environment 


Start with the Web Server 

Depending on the version of Windows you have, you can download Microsoft’s Internet 
Information Server (IIS), or the open source Apache web server. If you need a server on 
the Mac, you should probably go with Apache since it’s already installed. 

Here’s a brief overview of installing Apache on Windows: 


Head over to http : / /httpd. apache . org/download. cgi 

If you’re using Windows, we suggest you download the apache_ 
2.2.9-win32-x8 6-no_ssl-r2 . msi file. This will 
automatically install Apache for you after you download and double 
click it. 

〜 ab this vcvsioh 
3hd double 匕 lidk 

it a-ftev- you’ve 
dowhloadcd it. 

Next you’ll see the Installation Wizard. Most of 
the instructions are straightforward, and you can 
accept the default choices. 
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Choose the domain your 
computer is on. If you 
don’t have one, you can 
enter localhost. 
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Your best bet is to choose the 
typical installation option. 
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You can usually choose 
the default directory for 
installation of the software. 
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installing php 


Apache installation... concluded 


You’re nearly finished. Click Install and wait a minute or so for 
the installation to complete. That’s it! 



Your web server is set to start automatically when you start up your computer. 
But you can control it using the Services panel by stopping and starting it in 

the the Control Panel — > Administrative Tools — > Services dialogue 
where it will now show up. 


PHP installation 

Go to http :// www.php.net/downloads.php. 

Just as with Apache, if you’re using Windows, we suggest you download the 
Windows installer version, php-5. 2 .6 -Win32-ins taller . msi. This 
will automatically install PHP for you after you download and double click it. 
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After you’ve downloaded the file, 
double click it. Click the Run 
button to begin the installation. 


Bv\d dovmlodd i 七 . 
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set up a development environment 


PHP mstallatioH steps 

It starts with a basic Setup. 




Accept the License 
Agreement to continue. 
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Selecting the default installation 
folder is usually a good idea. 
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Careful on this screen. If you’re using Apache, select the right version. 
If you’re using IIS, you will probably select the IISAPI module. Check 
with your particular software to determine exactly what you need. 



This next screen is also tricky. You need to scroll down under 
Extensions and choose MySQLi. This will enable you to use the 
built in PHP mysqli functions that we use throughout this book! 
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installing mysql on windows 


?W installation steps... concluded 


That’s it. Click on Install, then 
Done to close the installer. 


Now try looking at your http : / / 
localhost/info . php file in your web 
browser and see what version is showing up. 



Installmg MySQL 

Instructions and Troubleshooting 


You still need MySQL, so let’s work through the downloading and installing of 
MySQL. The official name for the free version of the MySQL RDBMS server 
these days is MySQL Community Server. 


The following is a list of steps for installing MySQL on Windows and Mac OS X. 

This is not meant to replace the excellent instructions found on the MySQL web 
site, and we strongly encourage you to go there and read them! For much 
more detailed directions, as well as a troubleshooting guide, go here: 

http : //dev.mysql.com/doc/refman/6.0 / en/windows - ins tallation.html 


You’ll also like the MySQL Query Browser we talked about. There, you can type 
your queries and see the results inside the software interface, rather than in a 
console window. 
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set up a development environment 


Steps to Install MySQL on Windows 

❶ Go to: 

http : //dev.mysql.com/downloads/mysql/6.0.html 

and click on the MySQL Community Server download button. 
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Red Hat Enterprise Linux 3 RPM 
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installing mysql on windows (continued) 


Pownload your installer 

Windows ZIP /Setup . EXE option because it includes an installer that 
greatly simplifies the installation. Click on Pick a Mirror. 


❺ 


Under Windows downloads^ we recommend that you choose the 
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o 

o 


You’ll see a list of locations that have a copy you can download; choose the 
one closest to you. 

When the file has finished downloading, double-click to launch it. At this 
point, you will be walked through the installation with the Setup Wizard. 
Click the Next button. 



you've doublc-dlidkcd the 
-rile 3hd the Setup lVir^\rd di^loQ 

^ the H butU. 
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set up a development environment 


Pick a destinatioM folder 



You’ll be asked to choose Typical, Complete, or Custom. For our 
purposes in this book, choose Typical. 

You can change the location on your computer where MySQL will be 
installed, but we recommend that you stay with the default location: 

C : \Program Files\MySQL\MySQL Server 6.0 

Click the Next button. 



CiV^rogram FilesV^ySQLV^IySQL Server 5.0\ 




Click "Install" and you're dowel 



You’ll see the Ready to Install” dialog with the Destination Folder 

listed. If you’re happy with the destination directory, click Install. 
Otherwise, go Back, Change the directory, and return here. 


Click Install. 


you are here ► 
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installing mysql on mac os x 


Enabling PHP on Mac OS X 

PHP is included on Macs with OS X version 10.5+ (Leopard), but it's not enabled 
by default. You have to access the main Apache configuration file and comment 
out a line of code in order to get PHP going. This file is called http • con f, and 
is a hidden file located down inside the Apache install folder. 

You're looking for the following line of code, which has a pound symbol (#) in 
front of it to comment it out: 

#LoadModule php5_module libexec/apache2/libphp5.so 

You need to remove the pound symbol and restart the server to enable PHP. The 
http.conf document is owned by "root," which means you’ll have to enter your 
password to change it. You’ll probably also want to tweak the php . ini file so that 
Apache uses it. For more detailed information about how to carry out these steps 
and enable PHP, visit http : //f oundationphp. com/tutorials/php_ 
leopard.php. 


Steps to Install MySQL oh Mac OS X 

If you are running Mac OS X Server, a version of MySQL should already be 
installed. 

Before you begin, check to see if you already have a version installed. Go to 

Applications/Server/MySQL Manager to access it. 


o 


Go to: 


http : / /dev. mysql. com/downloads/mysql/6.0 . html 

and click on the MySQL Community Server Download button. 


742 Appendix ii 



You may i^avc -to 

sfiYoll do 職 a b»*t* 





















set up a development environment 



Choose Mac OS X (package format) from the list. 
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Choose the appropriate package for your Mac OS X version. 

Click on Pick a Mirror. 

You’ll see a list of locations that have a copy you can download; choose the 
one closest to you. 

When the file has finished downloading, double-click to launch it. You can now open 
a Terminal window on your Mac and type: 

shell> cd /usr/local/mysql 

shell> sudo ./bin/mysqld_safe 

(Enter your password, if necessary) 

(Press Gontrol-Z) 

shell> bg 

(Press Control-D or enter exit to exit the shell) 

If you’re using a GUI tool such as phpMyAdmin, check its documentation for how to 
access it once MySQL is successfully installed. 


you are here ► 
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making your site live 


Moving from production to a live site 

You’ve spent days or weeks working on your site, and you feel it’s ready to go 
live. To move your PHP and MySQL site from your local computer to the web 
requires a little planning and a few specific techniques. 

First, you need to make sure that the place your site is going has the same 
versions of PHP and MySQL you expect. If not, you may need to make your 
code to match what is available. Most of the code in this book is portable, but 
you may need to retrofit your PHP code back to the mysql functions, as opposed 
to the mysqli functions we use in this book. If that’s the problem, check out #1 
of The Top Ten Topics (we didn’t cover) for more information. 

If the software on your live site is compatible, then moving your site over is 

simple. Here are the steps: , 

Vouv- PHP -files Y\ctd b> 
be P 丁 P’ed to 七 he v/eb 
div*cd*to\ry <>f youv live si-tc- 

1. Upload the PHP files from your production server to the web directory on your 
live server. Keep the file structure intact, and make sure you don’t lose any 
folders you might have created to contain your included files. 

2. Do a database dump (which we’ll show you in a moment) to get the MySQL 名 
statements you need to create your tables and the INSERT statements you need 
to move your data from the table on the production server to the live server. 


,>u v\ttd bo a*t 
s*tvu^*tuvc ok 
youv "tables ar^d 
da*ta s*fcovcd 七 he 眯 . 

tteve’s iiov /： 



3. Log in to your live database where you can run the CREATE and INSERT 
MySQL statements to move your data from your local site to the live site. 


4. Modify any database connection code in your PHP files to point at the live 
database server. If you don’t change this, your live code will try to connect to 
your production site and won’t be able to connect. /K 


>uv- S 没 L durv\j> will 
jive you the 

o( youv 

CREATE TABLE 


av\d 

IhlSBRT siaic^b- 


Chaise *thosc mysqli — 
io pom 七 a 七 youv /1/IyS^L sewev- assodia*tcd 
w'rth youv live si*tc, b\oy\^ v/i*th dov-vcd*t 
usev-^ame fasswovd *to yt you tormented. 
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Pump your data (and your tables) 

You’ve FTP'ed your PHP files to the live server, but your data is still not on the 
live site’s MySQL server. When your table is full of data, the idea of moving it 
to another MySQL server can be daunting. Fortunately, bundled with MySQL 
is the MySQLdump program, which gives you an easy way to recreate the 
CREATE TABLE statement that can recreate your table and all the INSERT 
statements with the data in your table. You simply need to use the MySQLdump 
program. To make a copy of your data that you can move to another MySQL 
server, type this in your terminal: 



$ mysqldump 

Usage : mysqldump [OPTIONS] database [tables] 

OR mysqldump [OPTIONS] --databases [OPTIONS] DBl [DB2 DB3 

OR mysqldump [OPTIONS] --all-databases [OPTIONS] 

For more options, use mysqldump __help 

$mysqldump riskyjobs jobs > riskyjobstable.sql 


This sends the CREATE TABLE statement for the jobs table to a text file 
we just created named riskyj obsttable . sql. If you leave off the 
>riskyj obstable . sql part, then the CREATE TABLE and INSERT 
statements will simply scroll by you on the screen in your terminal. Try it to 
see what we mean. It’s not very useful, but you’ll see all your data fly by, nicely 
formatted in INSERT statements. 

Once you’ve sent all that data to your new file using the greater than sign, you 
can grab that file and use the contents as MySQL queries at your hosting site 
to move your tables and your data. 

Prepare to use your dumped data 

Get ready to move your data by running a CREATE DATABASE statement on your 
live MySQL statement. Then run a USE DATABASE on your new database. Now 
you are ready to move your data from your production server to your live server. 


you are here ► 
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putting mysql data on the live server 


Move dumped data to the live server 

You’ve created a file called riskyj obstable • sql that contains 
MySQL statements that create your table and insert data into it. The 
file riskyj obstable . sql probably looks a bit like this: 


These a\rc 
dll 
you 

igho\rc them 


The 

always wv- 

a PROP 

to 

s-ta\rt with 
a t\tBv\ slate 
bc-fov-c domg 

a CREATE 
a^a INSERT. 



--MySQL dump 10.11 


-Host : localhost 


riskyjobstable.sql 


Database : riskyj obs 



--Server version 


5.0.51b 


* ! 40101 SET @OLD CHARACTER SET CLIENT=@©CHARACTER SET CLIENT 


- Table structure for table 'jobs' 



DROP TABLE IF EXISTS 'jobs'; 

CREATE TABLE 'jobs' ( 


|-f you 'tiiCV'C iSir\ "t 3 

earned w jobs w y/iicvc you avc 

七 Wis ewe, you 6a” \<y\ort tWis Command. 


、 job—id、int (11) NOT NULL auto^ncrement^^s 
'title' varchar(200) default NULL, 

'description' blob, 
city 、 varchar(30) default NULL, 
state 、 char(2) default NULL, 

'zip' char(5) default NULL, 

、co id 、 int(11) default NULL, 


create 

table 

s ^Ci»eirt. 


PRIMARY KEY (、job 一 id) 

)ENGINE=MyISAM AUTO _ INCREMENT=l4 DEFAULT CHARSET=utf8; 


--Dumping data for table 'jobs' 


»^ir\OV"C L-OC^ 
s*ta*tcw'Cir\*t to\>y a^d 

paste a*t 

INSERT s-ta-tcw'C^t 


Mys^ldurwp 

makes 

a sm^lc 

INSERT 

state 

i\\ai 

msev-ts 

cvcv-y voy/ 

table- 


LOCK TABLES 'riskyjobs' WRITE; 

/*!40000 ALTER TABLE 'riskyjobs' DISABLE KEYS */; 

INSERT INTO 'riskyjobs' VALUES (8,'Custard Walker','We need 
people willing to test the theory that you can walk on 
custard.\r\n\r\nWe\'re going to fill a swimming pool with 
custard, and you\'11 walk on it. \r\n\r\nCustard and other 
kinds of starchy fluids are known as non-Newtonian fluids. 
They become solid under high pressure (your feet while you 
walk) while remaining in their liquid form otherwise.\r\n\r\ 
nTowel provided, own bathing suit, a must.\r\n\r\nNote : if 
you stand on for too long on the custard\'s surface, you will 
slowly sink. We are not liable for any custard sinkages; 
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Take the entire text of the .sql file and paste it into your MySQL terminal 
or the query window of your MySQL graphical client (like phpMyAdmin). 

This performs the queries in the file. In the case of the example on this page, the dumped file 
contains a CREATE TABLE statement and an INSERT statement. Along the way, the dumped file 
tells your MySQL server to drop any existing table and to LOCK (or keep anyone from using) the 
table while you INSERT the new data. 


Co 晒 ct to the live server 


You’ve moved your PHP files to your live site. You’ve taken your table 
structures as CREATE TABLE statements and your data as a massive 
INSERT statement from the mysqldump and executed them on your live 
web server, so your data has been moved. 

There’s a small step left. The PHP code you FTP'ed to your live web site 
isn’t connecting to your live MySQL server. 

You need to change the connection string in your mysqli—connect () 
function to point to your live MySQL server. Anywhere in your PHP code 
where you call the mysqli—connect () function, you’ll need to change it. 

$dbc = mysqli connect('localhost ', 'myusername ', 'mypassword ', 


or die('Error connectin to MySQL server.') 





"This will be -the har^c 
youm live s \ic. H wi || < 
i-r Vouv- 一 


will ohly be ValhW 

scv-vcir is oh -the sa^c 


harhC ^ IP addircss of 


This y/ill be the 
of the database you 
oh youv* live 

scv-vc\r. 


ov\ 




、 认丨 u win ohiy 
yowr is 


^ youm PWP pa 9cs . 


/Ud these will be the usev-hdme dhd 
password allow you "fco 
live /WyS^L scv-vcv-. 


you "to -fco 


That’s it! 


■ You’ve copied your FTP files to your web server, 

■ you’ve dumped your tables and data into a . sql file, 

■ you’ve run the queries in the . sql file on your live MySQL server, 

■ and you’ve changed your PHP file to call your live MySQL server database. 


Your site skoulct now te live! 


you are here ► 


747 




appendix iii* extend your pKp 


Get even more^ 



I know I have everything 
any run-of-the-mill, 
heartbreakingly beautiful, 
fiendishly clever femme fatale 
needs, but \Ys not enough. 


Yes, you can program with PHP and MySQL and create 

great web applications. But you know there must be more to it. And 
there is. This short appendix will show you how to install the mysqli extension 
and GD graphics library extension. Then we’ll mention a few more extensions 
to PHP you might want to get. Because sometimes it’s okay to want more. 


this is an appendix 




installing new php modules 


Extending your PHP 

This book discusses installing both the mysqli and GD modules on Windows. In this 
section, we’ll show you how to see what modules you have, how to get GD or mysqli 
if you are missing them, and how to install them in Windows. Unfortunately, installing 
these modules on a Mac or Linux system is kinda tricky. More on that at the end of 
this appendix. 

NOTE: This appendix covers Windows 2000, XP, Vista, Windows 
Server 2003/2008, or other 32-bit Windows operating system. 


If you're using Windows, youYe iw luck 


You probably already have both the mysqli and GD modules on your computer. And 
even if you don’t, adding them is relatively easy. We’ll show you how to check to see 
what you have, if you’re missing one of them, how to get it, and how to activate one or 
both modules. 


It starts with checking to see what you have. 


o First, figure out if GD or 

mysqli is on your system. To 
do that, begin by navigating to 
the directory where the PHP 
extensions are installed. They 
are typically in the C : / PHP/ 
ext directory, although the 
path may be different on 
your machine. Open the ext 
directory and look for php_ 
gd2 . dll and php_mysqli . 
dll. In general, these are 
installed with PHP 5 and later, 
and simply need to be activated. 
If you have them, great, move 
on to step 3. If not, go to step 2. 
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extend your php 



If you’re missing either php_mysqli .dll or php_gd2 . dll, you’ll have to get it. 
Chances are you already have both DLLs on your machine, but if you don’t, you can find 
php_gd2 . dll at: http : // www. libgd. org/Downloads. Download it and copy it 
to the folder ext under your PHP install. In our examples, it’s located at C : / PHP/ext. 


You can get the mysqli extension from MySQL.com. First, browse to http : / / www. 
mysql. com. Click on Downloads (along the top) —> Connectors (it’s in the left 
menu) —> MySQL native driver for PHP —> Download php— mysqli • dll for 
PHP 5.2.1 (Windows) (Make sure this is your version). 



■■ :: .ij 


Hmi 




c 

JVlySQL. 


MliMJ tMmwi 


Powntead Conrwctcr.'P HP 


V/ind^wrt dmrJIwlft tor le> feUTSOL 


frowi PHP 


UU^hKi 






H ㈣ 




BTlfcWi 睡⑺卜 

■ H '■ I 


iMill Tfa JW B4，lj 

■ feLMk^at tsirvi l 氬雇欠 1 


ivriidPiiVvl 

r<F iYiiwWy 


bJadOLJ 


Jriau 


相 ivHaUMp>p ftflJUEL: 




imlmoiFi-fi uu UiiQ^ l-,illMi Ow iaf 

Piuejiuii^ U^LIHyBVBi aiui«b«ni 


rsT-ptaDg 


^vab vcvs\ov\ 

W\VS<\I"» *to ^0\A\ 

vc— omp. 



By now you should have 
php— mysqli • dll and 
php_gd2 . dll copied to your 
/ PHP/ext folder. We need to tell 
our php . ini file to use these 
DLLs. To do that, browse to the 
directory it’s in, and open the file 
in a text editor. 
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installing new php modules (continued) 


o 


❺ 


Dig through your php . ini file and locate 
the lines: 

extension=php_gd2.dll 
and 

extension=php_mysqli.dll 

If either of these have semicolons (;) or 
pound signs (#) in front of them, that 
means they are commented out. Remove 
them and save your file. 


Delete scrwidolo^s -fvom \y\ 

-these *two I'mcs i-f 
have Then save youv- -file- 


The last step is to restart your Apache web 
server so that the changes you made to 
your php . ini file will take effect. To do 
this, go to your Windows Control Panel, 

double-click on Administrative Tools, 

then click Services. You should see this: 
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Click the Apache service, then click 
on Restart from the menu on the 
left. The next time you try to use the 
GD or mysqli functions, they should 
work correctly. 


752 Appendix Hi 








































extend your php 


And oh the Mac 


Unfortunately, it’s quite a bit more difficult. Adding modules on the Mac 
means recompiling the PHP source code and passing in arguments to add in 
the modules you want. There are simply too many possible combinations of 
Mac operating systems and PHP versions to include in this short appendix. 

There is a terrific guide that may help you install the GD module located here: 

http :/ /macoshelp.blogspot.com/2008/02 / adding-gd-library-for-mac-os-x-leopard.html 

It will only work if you have the right OS X version (Leopard), and the right 
PHP version (5). If you don’t，or the instructions don’t work for you, you may 
want to dig through the comments on that site and on the original GD website, 
http : // www. libgd. org/, for more detailed and specific installation 


instructions for your flavor of OS X and PHP. 

For help in adding mysqli to your Mac version of PHP, which also means 
recompiling PHP, we recommend the instructions here: 



wet sc\rvc\r a su^h ds a lodal 


http :// dev.mysql.com/downloads/connector/php-mysqlnd/ 


is bcihj uploaded and ics-ted oy\ 
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Symbols 

! (NOT operator) 174, 221 
% (dollar sign) 25, 26 
游 —COOKIE variable 376, 382, 414 

S_FILES variable 239, 252, 293 
upload errors 269 
S_GET 276 

S_POST 32—36, 55—56, 134, 276 
array 34 

providing form data to MySQL database 91-94 
seeing if form has been submitted 202 
superglobal 33 

s—SERVER[PHP_SELF，] 200, 289 

S—SERVER variable 342 
securing applications 300 
S—SESSION variable 391 ， 395-396, 414 
Si counting variable 264 
% metacharacter 572 
^result variable 135 
% (percent sign) wildcard 505 
&& (AND operator) 179, 221 
* (asterisk) 70, 130 
-> operator 698, 700 
-> prompt 119 
.(period) 40, 41 
/* and */ 335 

;(semicolon) 125 
MySQL 64, 67 

PHP 25 

SQL statements 111 
< (less than) 168, 221 


<> (not equal) 168, 221 
==(equal signs) 167 
> (greater than) 168, 221 
>=(greater than or equal to) 168, 221 

<?php> tag 16, 24, 55-56 
spaces inside 305 
<? tag 27 

@PHP error suppression 269, 288 
\ (backslash) 46 
\d metacharacter 572 
\n (newline characters) 47 
\s metacharacter 572 
\w metacharacter 572 
A metacharacter 572 
_ (underscore) 26 
_ (underscore) wildcard 505 
|| (OR operator) 179, 221 

A 

accidental deletions 149 
action attribute 14 
ADD COLUMN statement 232, 293 
addemail.php script 126—131 
Add Score Form Up Close 237 

admin pages 272-278 
protecting 300 
score removal links 275 

securing application, authenticating Admin page 
with headers 306 

alias 477, 499 
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Alien Abduction site 658-712 
assembling email message 48 
connecting to MySQL database 60-102 
deconstructing PHP script 24 
getting emails 53 
HTML web form 5—9 
losing emails 54 
problems with HTML form 8—9 
problems with web form 29—30 
RSS syndication 660—676 
Test Drive 7, 17, 20,37,42,52 
adding newsfeed link 677 
adding YouTube script 708 
from data and INSERT statement 95 
inserting data into MySQL database 89 
INSERT statement 69 
RSS Newsfeed script 675 
selecting all content 71 
WHERE clause 97 
YouTube request URL 687 
variables 31 

YouTube video syndication 678—712 
laying out videos for display 702—703 
REST request 686—687 

ALTER statement 125, 235, 252 


Anatomy of a header 303 

AND operator (&&) 179 

Apache, installing on Windows 735-736 

apostrophe 47 

application design 106 

applications 
defined 105 

personalized (see personalized web apps) 
array_push() function 449 

arrays 34, 55-56 

looping through with foreach 216 
MySQL result sets versus PHP arrays 638 
versus objects 700 

arrows (schema symbol) 436 
direction 438 


AS keyword 499 
asterisk (*) 70， 130 

atomic data 462-463 
normalization 465 
authenticating with headers 306—307 
Authorize script 314—317 
AUTO_INGREMENT 209 

B 

backslash (\) 46 

Bar Graph Exposed 635 

bar graphs 632-635 
basics 644 

drawing and displaying 647 
file storage issues 651 
formulating plan 639—641 
generating individual 650 

BLOB data type 114 
<br /> tags 41, 46 
browser 55 
built-in functions 536 

Bullet Points 

S_FILES variable 252 
S—SERVER variable 315 
ALTER statement 252 
GAPTGHA 629 
character class 602 
checkdnsrr() function 602 
cookies 397 

CREATE DATABASE command 
CREATE TABLE command 142 
database connections 88 
die() function 88 
DROP TABLE command 142 
exit() function 315 
GD (Graphics Draw) 629 
header() function 315 
headers 315 

HTTP authentication 397 


ALTER TABLE command 209, 221, 232, 293, 322 
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images folder 252 

<input> tag 252 

metacharacters 602 

move—uploaded_file() function 252 

mysqli_close() function 88 

mysqli—connect() function 88 

mysqli_fetch_array() function 142 

mysqli_query() function 88 

preg_match() function 602 

preg_replace() function 602 

quantifiers 602 

sessions 397 

session variables 397 

while loop 142 


c 

GAPTGHA 611—624, 654 

GD (Graphics Draw) 614—615 
functions 616—620 
generating random image 623 
Guitar Wars 625—629 
pass-phrase text 613 
Test Drive 624 

Guitar Wars Add Score script 628 
CASE labels 542-544 

CHANGE COLUMN command 232 
character class 578-579, 602, 604 
CHARACTER data type 114 
CHAR data type 114—116 
checkboxes 215 

checkdnsrr() function 599, 602, 604 
warning 599 
children() method 699 
child table 438 
chr() function 613 
client-side 57 
clients, HTML 10 
code reuse 730 


coding efficiency 455 
collection of objects 697 
column/value query 337—338 
column names 112 

columns 109 
alias 477 

default column values 337—338 
non-key column dependencies 465 

commands and upper/lowercase 27 
comments 

double-hyphen (—) 334 
multi-line 335 
tricking MySQL with 334 

community web sites 347, 372 

concatenating strings and variables 41-43 

conditionals 166—170 

conditional tests 139 

content type header 309 

cookies 374-388 
defined 374 
deleting 385-387 
lifespan 406—410 
migrating to sessions 398-399 
parts of 375 
plus sessions 409 
sessions without 403 
size of data 410 

storing user ID and username 381 
user log-ins 380-381 

using cookies rather than HTTP authentication 379 

using with PHP 376 

versus HTTP authentication 374 

versus sessions 400—401 

Coppermine Gallery 730 

counting variable 264 

CREATE DATABASE command 64, 110, 111 
CREATE TABLE command 64—65, 110, 117—118 
cross-site scripting 725-726 
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custom functions 535—560 

building queries with 537—539 
pagination 548-554 

LIMIT clause 549-550 
page navigation links 554 
revising results 553 
tracking pagination data 551 
variables 552 
value of 536 

Custom Functions Exposed 538 

D 

data, controlling 427-500 
alias 477 

data-driven forms 450-460 
joins (see joins) 
normalization 462—468 

data, defining 113 

data-driven forms 450-460 
efficient data types 453 
database connection strings 81-82 
database name 76 
databases 61 

diagrams of tables (see schemas) 
joining tables (see joins) 
location 63 

Many-to-Many relationship 438—440 
normalization 462—468 
benefits 464 
three steps 465 

One-to-Many relationship 438—439 
One-to-One relationship 438—439 
password 63 
referential integrity 437 
structural changes and queries 471 
user name 63 
versus tables 68 

databases, creating and populating 103-158 
-> prompt 119 
addemail.php script 126—131 


ALTER statement 125 
column names 112 
columns 109 

CREATE DATABASE command 110, 111 
CREATE TABLE command 110, 117-118 
creating database and table 108-125 
data types 113, 114 
defining data 113 
DELETE command 147—153 
accidental deletions 149 
WHERE clause 148-149 
DESCRIBE command 123 
DROP TABLE command 124 
getting started 107 
mail() function 134 

making contact with MySQL server 110 
queries 117-118 
rows 109, 112 

SELECT * FROM command 134, 135 
SELECT command, asterick 130 
semicolons (;) 125 
sendemail.php script 133-145 
S_POST array 134 
S re suit variable 135 
mysqli_fetch_array() function 135—142 
mysqli_query() function 135 
storing database data 109 
tables 

creating inside database 112—113 
defined 109 
structure 123 
USE command 120—121 

database server 61, 75, 99-100 

database tables (see tables) 

data stored in files 223-294 
external files 240 
getting images from users 236 
GW_UPLOADPATH constant 253 
images, storing 225-252 
images folder 247-248 
FTP program 248 
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initial storage location of uploaded files 245 
inserting image filenames 238—239 
overwriting files 252 

php.ini file, storage location for uploaded files 252 
plannning for image file uploads 231 
Step 1 234 
Step 2 237 
Step 3 238 
Step 4 242 
Step 5 250 
Step 6 257 

temporary folders 244 
validation 

error messages 268—270 
image file uploads 266—270 

data types 113, 114 
efficient 453 

DATE data type 114—116 
DATETIME data type 114—116 
DEG data type 114 
decision logic 166 - 170 
default column values 337—338 
DEFAULT statement 342 

DELETE command 147—153, 157 
accidental deletions 149 
WHERE clause 148-149 

DELETE FROM statement 283-285, 293 
LIMIT clause 284, 289 
deleting files from web server 269 
DESCRIBE command 123, 157 

development environment, setting up 731—748 
building and testing PHP applications 732 
connecting to live server 747 
dumping data and tables 745 
installing Apache on Windows 7 35-736 
moving from production to live site 744 
MySQL 

identifying version 734 
installing on Mac OS X 742—743 


installing on Windows 739—742 

moving dumped data to live server 746—747 

preparing to use dumped data 745 

PHP 

identifying version 733 
installing 736—738 
web servers, identifying 733 

diagrams, database 431， 499 

die() function 83, 88 

display—errors 724 

dollar sign (5) 25, 26 

Domain Name System (DNS) 598 

domain suffixes 598—599 

dot notation 474 

double-hyphen (—) comment 334 

double-quoted strings 47 

double quotes 77 

versus single quotes 92 
Download It! 

Guitar Wars 228 
Mismatch application 350, 458 
Risky Jobs application 587 

DROP COLUMN command 232 
DROP TABLE command 124, 157 
Drupal 730 
duplicate code 194 

duplicate code, eliminating 417-426 
templates 422-425 
dynamic graphics (see visualizing data) 
dynamic HTML pages 3 

E 

echo command 24, 41, 55—56 

regenerating forms in PHP with 192 
else clause 184-190, 221 

Elvis store project 104-158, 160—222 
addemail.php script 126—131 
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Elvis store project {continued) 

application design 106 

deleting checked off customers 217-218 
empty email messages 163 
planning 108 

preserving form data 196—201 
sendemail.php script 133-145 
feedback 183—186 
logic behind 171 
validation 163—165 
Test Drive 

addemail.php script 129 

cleaner if code in sendemail.php 189 

creating database and table 118 

customer checkboxes 219 

DELETE command 150 

logical operators 181 

primary keys 211 

removing customer from mailing list 153 
self-referencing script 201, 205 
sending email using Send Email form 145 
Use command 121 
validating sendemail.php 177 
validation 164—165 

email address pattern 595-600 
domain suffixes 598—599 

emails 

assembling 48 
empty 163 

formatting and sending via PHP 43—52 
<br /> tags 46 

creating message body in PHP 44 
double-quoted strings 47 
escape characters 46 
HTML formatting 45 
newline characters (\n) 47 
storing email pieces and parts in variables 49 
getting 53 
losing 54 

mail() function 50—51 

sending form data using HTML 10 

sending form data using PHP 11 

empty() function 172—178, 221, 566 


empty email messages 163 
entities (XML) 693 
ENUM data type 325 
equal signs (==) 167 
equijoins 480 
error_log 724 

error handling, exception handling PHP errors 719—720 

error messages 268-270 
suppressing 269, 288 
error reporting for MySQL 718 
escape characters 46 

escaping characters (regular expressions) 580-582 

exception handling PHP errors 719—720 

exit() function 307, 311 ， 315, 342 

explode() function 510, 518, 560 

expose_php 724 

extending PHP 749—753 

F 

Fireside Ghats 

cookies versus sessions 400—401 
GET and POST 279 

flags 194 

foreach loops 215-218, 221 
arrays 216 

foreign keys 436—437, 499 
in action 437 
(see also primary keys) 

for loops 488-489, 499 

formatting and sending emails via PHP 43—52 
<br /> tags 46 

creating message body in PHP 44 
double-quoted strings 47 
escape characters 46 
HTML formatting 45 
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newline characters (\n) 47 

storing email pieces and parts in variables 49 


imageellipse() function 618 
imagefilledellipse() function 618 


forms 10, 55—56 
S_POST 32—36 

providing form data to MySQL database 91—94 
S_SERVER[PHP_SELF] 200 
<form> tags 6 
<input> tags 6 

accessing form data with PHP scripts 16 
action attribute 14 


imagefilledrectangle() function 617 
imageline() function 617 
imagepng() function 618 
imagerectangle() function 617 
imagesetpixel() function 617 
imagestring() function 619 
imagestringup() function 619 
imagettftext() function 620 


<br /> tags 41 
data-driven 450-460 
get method 6 
<input> tags 6, 38 
isset() function 202 
mailto 6, 9 

making HTML form dependent on if statements 
PHP scripts 11 

MySQL queries 73—75 
sending form data as email 9—14 
Post method 6 

preserving form data 196—201 
regenerating in PHP with echo 192 
seeing if form has been submitted 202 
self-referencing 199—201 ， 204—205 
spam bot attacks 607 
submit button 6 
type attribute 6 
validation 339 

<form> tags 6 

action attribute 14 

FROM part of SELECT statement 70 

FTP (File Transfer Protocol) utility 19 

G 

GD (Graphics Draw) 612—620 
GAPTGHA 614-615 
functions 616—620 
imagecolorallocate() function 616 
imagecreatetruecolor() function 616 
imagedestroy() function 619 


Geek Bits 

GAPTGHA 620 
Domain Name System 598 
SUBSTRING() function 530 
video length calculation 703 

get method 6 

GET requests 276-282 
(see also GET) 

graphics, dynamic (see visualizing data) 

graphics library 612 

greater than (>) 168 

greater than or equal to (>=) 168 

Guitar Wars 224-294, 606-630 
admin pages 272-278 
protecting 300 
score removal links 275 
altering high score database 232 
GAPTGHA 625-629 
Download it! 228 
formatting top score 262 
getting images from users 236 
images folder 247-248 
inserting image filenames 238—239 
isolating high score for deletion 283-285 
plannning for image file uploads 231 


Step 1 

234 

Step 2 

237 

Step 3 

238 

Step 4 

242 

Step 5 

250 

Step 6 

257 
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Guitar Wars (continued) 

securing application 296-344 
Admin page security 316 
authenticating Admin page with headers 306 
Authorize script 314—317 
form attack 330—333 
HTTP authentication 299—303 
human moderation (see human moderation) 
SQL injection attack protection 336 
ways to protect applications 297—298 
Test Drive 

adding CAPTCHA to Add Score script 628 

adding high scrore with image 243 

adding screenshot column 235 

Admin script HTTP authorization 311 

Authorize script 317 

create the Approve script 328—329 

handling of form data in Add Score script 340 

images folder 251 

include files 257 

removescore.php and admin.php 290 
screen shot image file validation 270 
showcasing highest score 265 
top scoring Guitar Warrior 261-265 
unverified scores 271 
validating image file uploads 266—270 

GW_MAXFILESIZE constant 253, 267—270 

GW_UPLOADPATH constant 253 

H 

header() function 305, 342 

Header Exposed 304 

headers 302—309 

Anatomy of a header 303 
authenticating with headers 306—307 
content type header 309 
location header 309 
refresh header 309 
Watch it! 309 

hidden form fields 289 

hostname 63 


HTML 55-56 
clients 10 

dynamic HTML pages 3 
lifeless language 2 

mixing PHP and HTML in same file 27 
PHP code 15 

sending form data as emails 10 
switching between PHP and 193 
working with PHP 3 

HTTP authentication 299-303, 343, 397 
authenticating with headers 306—307 
basic realm 311 
headers 302—309 
password encryption 360 
user log-ins 357-361 
using cookies rather than 379 
versus cookies 374 

human moderation 320-321, 343 
ALTER TABLE statement 322 
Step 1 322 
Step 2 324 
Step 3 326 
Step 4 327 



if statements 166—170, 221 
cleaner code 188-190 
else clause 184-190 

making HTML form dependent on 195 
nested 178, 187 
ternary operator 455, 459 
test conditions 168 

imagecolorallocate() function 616 

image compression levels 651 

imagecreatetruecolor() function 616, 654 

imagedestroy() function 619, 654 

imageellipse() function 618 

imagefilledellipse() function 618 

imagefilledrectangle() function 617 
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imageline() function 617, 654 
imagepng() function 618, 654 
imagerectangle() function 617, 654 
images 

placing on web pages 240 
RSS feed 670 

images, storing 225-252 

getting images from users 236 
initial storage location of uploaded files 245 
inserting image filenames 238—239 
planning for image file uploads 231 
temporary folders 244 

imagesetpixel() function 617 

images folder 247-248, 252, 293 

imagestring() function 619, 654 

imagestringup() function 619, 654 

imagettftext() function 620, 654 

<img> tags 240 

implode() function 513, 560 

include—once statement 293 

include files 254-255, 293 

initial storage location of uploaded files 245 

inner joins 473, 475, 499 

<input> tags 6, 38, 230, 252 

INSERT INTO statement 66 

INSERT statement 66-67, 85, 238, 337 
Test Drive 69 

INT or INTEGER data type 114-116 

IP address 63 

is_numeric() function 342 

isset() function 172—174, 202, 221， 566 



joins 473-481 

dot notation 474 
equijoins 480 


inner joins 473, 475 
natural joins 480 
non-equijoins 480 
outer joins 480 
USING keyword 476 

JPEG images and MIME types 270 

junction table 440 

K 

keys 436—437 

(see also foreign keys; primary keys) 



less than (<) 168 

less than or equal to (<=) 168 

LIKE clause 505-509, 560 

LIMIT clause 293, 549-550, 560 

DELETE FROM statement 284, 289 
location header 309 
log-ins (see user log-ins) 
log_errors 724 

logging out users 384-387 
sessions 393-394 
logical operators 179-182, 221 
order 181 
lowercase 27 

M 

mail() function 50-51, 55-56, 134 
configuring server 52 
mailto 6, 9, 10 

Many-to-Many relationship 438—440 
markup language 661 
MD5() function 355 

metacharacters 572-577, 602, 604 
quantifiers 577 
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MIME types for JPEG images 270 

Mismatch application 346—416, 428-500 
charting mismatchiness 630—652 
bar graphing basics 644 
building an array for categories 636—638 
drawing and displaying bar graph 647 
formulating bar graphing plan 639—641 
generating individual bar graphs 650 
storing bar graph data 632—633 
community of users 347 
cookie-powered user log-ins 380—381 
cookies (see cookies) 
data-driven forms 450—454 
data breakdown 430 
Download It! 350, 458 
eliminating duplicate code 418-426 
joins 478 

logging out users 385-387 
migrating from cookies to sessions 398-399 
(mis)matchmaking logic 484—489 
comparing users 487 
five steps to successful mismatch 485 
for loop 488 
preparing search 486 
mymismatch.php script 491—493 
navigating new Log-In script 382-383 
navigation menu 421 
normalizing database 469—470 
page footer 421 
page header 421 
questionnaire 445-459 

generating form 456—457 
getting responses into database 446 
planning steps 445 
Step 1 449, 456 
Step 2 449, 456 
Step 3 457 
Step 4 457 
sessions 392 

logging out users 393—394 
session starter 421 
signing up new users 365—371 
storing user data on server (see sessions) 


templates 422—426 
Test Drive 

adding sign-up functionality 371 
adding username and password 356 
changing cookies to sessions 402 
creating My Mismatch script 648 
grabbing mismatched topics and categories 637 
logging out users 386—387 
login.php script 362—363 
mismatch_category database table 470 
My Mismatch script 494 
Questionnaire script 458 
Questionnaire script with single query 481 
updating My Mismatch script 652 
using sessions and cookies 413 
user log-ins 348—363 
gameplan 349 
passwords 348 
prepping database for 351 
username 348 
user log-ins (see user log-ins) 

MODIFY COLUMN command 232 
move—uploaded_file() function 245, 249, 250, 252 
multi-line comments 335 
MySQL 57 

dumping data and tables 745 

error reporting 718 

identifying version 734 

installing on Mac OS X 742—743 

installing on Windows 7 39-742 

moving dumped data to live server 746—747 

preparing to use dumped data 745 

Query Browser 738 

user permissions 716-717 

MySQL, connecting to 61—102 

游 —POST，providing form data 91—94 
closing connections 87 
CREATE DATABASE command 64 
CREATE TABLE command 64—65 
database name 76 
database server 75 

FROM part of SELECT statement 70 
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inserting data with PHP scripts 77 
INSERT INTO statement 66 
INSERT statement 66—67 
Test Drive 69 
mysql>prompt 64 
password 63, 76 

PHP database connection strings 81-82 
PHP functions 78—88 

connecting with mysqli connectf) 80—82 
die() 83, 88 

mysqli_close() 78—79,87,99 
mysqli_connect() 78—84,99—100 
mysqli_query() 78—79,86,99 
mysqli—select_db() 82,99—100 
PHP scripts 76 
PHP scripts and forms 73-75 
queries 78—79, 84—86, 99—100 
assembling query string 85-86 
executing 86 
requirements 62—63 
SELECT statement 
asterisk (*) 70 
selecting all content 70—71 
WHERE clause 96—97 
server location 63,76 
sifting through data 96-97 
tables 75 

USE command 64 
user name 63, 76 
VALUES keyword 66 
order of values 66—67 


mysql>prompt 64 

mysqli—close() function 78-79, 87, 99 

mysqli—connect() function 78-84, 99—100 
connecting with 80—82 
mysqli—fetch_array() function 135 - 142, 157 
while loop 139—142 

mysqli—query() function 78—79, 86, 88, 99, 125, 135 

mysqli—real_escape_string() function 336, 340, 342 

mysqli—select_db() function 82, 99—100 

mysqli functions, retrofitting to work as mysql functions 
714-715 


MySQL result sets versus PHP arrays 638 

MySQL server, making contact with 110 

MySQL terminal 62, 68, 110 
-> prompt 119 
semicolons 111 


N 


namespaces (XML) 693, 695, 699, 711 
naming variables 26 
natural joins 480 
newline characters (\n) 47 
newsfeed 660 


No Dumb Questions 
POST 92 
-> operator 700 
-> prompt 119 
<? tag 27 

Admin page security 316 

ALTER statement 125, 235 

array—push() function 449 

atomic data 463 

bar graphs 633, 647 

GAPTGHA 612, 629 

character classes 579 

CHAR data type 115 

commands and upper/lowercase 27 

concatenating strings and variables 42 

concatenating variables 92 

cookies 375 

deleting 387 

storing user ID and username 381 
database relationships 439 
databases versus tables 68 
DESCRIBE command 123 
die() function 88 
double-quoted strings 47 
dynamically generated images 651 
else clause 189 
empty() function 566 
ENUM data type 325 
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No Dumb Questions (continued) 
escape characters 46 
exit() function 311 
for loops 489 
form was submitted 202 
GD (Graphics Draw) functions 629 
GET and POST 278, 282 
GW_MAXFILESIZE 270 

HTML formatting in emails you send from a PHP 
script 45 

HTTP authentication 301 
basic realm 311 
image compression levels 651 
initial storage location of uploaded files 246 
INSERT statement 85 
isset() function 173, 566 
joins 476, 480 
logical operator order 181 
MIME types for JPEG images 270 
mismatch_category table 468 
mixing PHP and HTML in same file 27 
mysqli_fetch_array() 142 
mysqli_query() function 88 
MySQL result sets versus PHP arrays 638 
MySQL terminal 68 
namespaces (XML) 695 
normalization 467 
Null, Key, Default, and Extra 123 
numeric data types 115 
objects versus arrays 700 
overwriting files 252 
pagination 558 
password encryption 360 
phone number pattern 569 
php.ini file 252 

PHP code and HTML code 15 
phpMyAdmin 68 
require_once 255 
REST 682, 685 
RSS 662 

RSS feed and images 670 
RSS reader 662 
search string 519 


SELECT command 130 
semicolons 125 
session—start() function 397 
sessions 397 
SHA() function 355 
shared script files 255 

short-term versus long-term persistence 410 

Sign-Up script 369 

SimpleXMLElement object 700 

single quote (apostrophe) 47 

single quotes versus double quotes 92 

size of data and persistence 410 

SQL comments 335 

SQL injection attack 335 

storing database data 109 

substr() function 530 

templates 423 

temporary folders 246 

ternary operator 459 

test conditions 170 

unverified scores 261 

UPDATE command 235 

user—id 351 

validation 165 

valid email addresses 597 

VARGHAR data type 115 

variables 27, 255 

visual security 353 

what PHP stands for 15 

XML 670 

non-equijoins 480 

normalization 462—468, 499 
atomic data 465 
benefits 464 

non-key column dependencies 465 
primary keys 465 
three steps 465 

not equal (<>) 168 

NOT NULL 209 

NOT operator (!) 174, 221 

NOW() function 238 
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0 

object-oriented PHP 721—722 

objects 688, 696—700 

accessing XML with 696 
collection of 697 

drilling into XML data with objects 698 
versus arrays 700 

One-to-Many relationship 438—439 

One-to-One relationship 438—439 

ON keyword 476 

open_basedir 724 

operator precedence 727 

ORDER BY clause 258, 293, 532-534, 545-546 

OR operator (| |) 179 

outer joins 480 

overwriting files 252 

P 

pagination 548-554 

LIMIT clause 549-550 
page navigation links 554 
revising results 553 
tracking pagination data 551 
variables 552 

parent table 438 

passwords 348 
comparing 355 
encryption 352 

SHA() function 354—356 
HTTP authentication 

password encryption 360 
visual security 353 

percent sign (%) wildcard 505 

period (.) 40, 41 

period metacharacter 572 


persistence 

sessions plus cookies 409 
short-term versus long-term 410 
temporary 375 
user 383 

personalized web apps 345-416 
community web sites 347 
security 372 
cookies (see cookies) 
logging out users 385—387 
signing up new users 365—371 
storing user data on server (see sessions) 
user log-ins (see user log-ins) 

(see also Mismatch application) 

phone number pattern 568-569, 573-577 
getting rid of unwanted characters 592 
standardizing 591 

PHP 55-56 
browsers 42 

building and testing applications 732 
checking if installed on server 19 
database connection strings 81-82 
difference between versions 5 and 6 728 
exception handling PHP errors 719—720 
extending 749-753 
identifying version 733 
installing 736-738 

mixing PHP and HTML in same file 27 
object-oriented 721—722 
rules 25 

securing applications 723-724 
sending form data as email 9-14 
servers 11 

switching between HTML and 193 
what PHP stands for 15 
working with HTML 3 

PHP&MySQLcross 155-156, 291-292, 497-498, 
655-656 

PHP & MySQL Toolbox 
! (NOT operator) 221 
COOKIE 414 
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PHP & MySQL Toolbox [continued] 

S—FILES 293 
S—POST 57 
SERVER 342 
SESSION 414 
&& (AND operator) 221 
< (less than) 221 
<> (not equal) 221 
<?php ?> 57 
==(equal signs) 167 
> (greater than) 221 
>=(greater than or equal to) 221 
|| (OR operator) 221 
ADD COLUMN statement 293 
ALTER TABLE command 221， 293 
array 57 
AS keyword 499 
GAPTGHA 654 
character class 604 
checkdnsrr() function 604 
client-side 57 
column/value query 343 
custom functions 560 
DEFAULT statement 342 
DELETE command 157 
DELETE FROM statement 293 
DESCRIBE command 157 
diagrams, database 499 
DROP TABLE command 157 
echo 57 
else clause 221 
empty() function 221 
escape character 57 
exit() function 342 
explode() function 560 
foreach loops 221 
foreign keys 499 
for loops 499 
form validation 343 
GD library 654 
header() function 342 
HTTP authentication 343 


human moderation 343 
if statements 221 

imagecreatetruecolor() function 654 

imagedestroy() function 654 

imageline() function 654 

imagepng() function 654 

imagerectangle() function 654 

images folder 293 

imagestring() function 654 

imagestringup() function 654 

imagettftext() function 654 

implode() function 560 

include_once statement 293 

inner joins 499 

is_numeric() function 342 

isset() function 221 

LIKE clause 560 

LIMIT clause 293, 560 

logical operators 221 

mail() 57 

metacharacters 604 
MySQL 57 

mysqli_fetch_array() function 157 

mysqli_real_escape_string() function 342 

namespaces (XML) 711 

normalization 499 

ORDER BY statement 293 

PHP 57 

PHP script 57 

preg_match() function 604 

preg_replace() function 604 

regular expressions 604 

require_once statement 293 

require statement 293 

REST request 711 

RSS 711 

schemas 499 

SELECT * FROM command 157 
server-side 57 

session_destroy() function 414 
session—start() function 414 
setcookie() function 414 
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SHA() function 414 
simplexml_load_file() function 711 
SimpleXMLElement object 711 
SQL 57 

SQL injection 343 
str_replace() function 560 
substr() function 560 
switch-case 560 
ternary operator 499 
trim() function 342 
variable 57 

WHERE clause 157, 293 
while loop 157 
XML 711 

php.ini file 252 

securing applications 723-724 
PHP4 714-715 
phpBB 730 
.php extension 25 

PHP functions 78-88 

verifying variables 172-178 
phpinfo() references 723 
php My Admin 62, 65, 68 
PHP scripts 

accessing form data 16 

action attribute 14 

connecting to MySQL 76, 77 

deconstructing AliensAbductedMe.com 24 

forms and MySQL queries 73-75 

running on servers 18 

servers 12—13 

servers translating 22—23 

transferring to server 19 

post method 6 

POST requests 276-282 
(see also S_POST) 
precedence 727 

preg_match() function 584-586, 602, 604 
preg_replace() function 588-590, 602, 604 


preprocessing data 518-519 
preserving form data 196—201 

primary keys 209—211, 436—437 
five rules 210 
normalization 465 
(see also foreign keys) 

pseudocode 641 

pulling content from another site 680 
(see also YouTube video syndication) 
pushing web content 659 
RSS (see RSS syndication) 

quantifiers 577, 602 

queries 78-79, 84-86, 99-100, 117-118 
assembling query string 85-86 
building queries with custom functions 537—539 
executing 86 

legitimate search terms 524-525 
multiple tables 472 
SQL query 86 

structural changes to databases 471 
quotes 47, 55-56, 77 

single quotes versus double quotes 92 

R 

rand() function 613 
referential integrity 437 
refresh header 309 
regex 570 

regular expressions 561-604 
character class 578-579, 604 
checkdnsrr() function 599, 604 
warning 599 
defined 570 

email address pattern 595-600 
domain suffixes 598—599 
escaping characters 580-582 
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regular expressions {continued) 
metacharacters 572-577, 604 
phone number pattern 568-569, 573-577 
getting rid of unwanted characters 592 
standardizing 591 

preg_match() function 584—586, 604 
preg_replace() function 588-590, 604 
quantifiers 577 
reserved characters 580-582 
validation trade-offs 597 


removeemail.php, deleting checked off customers 
217-218 

removing data 147-153 
accidental deletions 149 
request/response communication process 681 
require_once statement 255-257, 288, 293 
require statement 293 

reserved characters (regular expressions) 580-582 


REST request 682—687, 711 


building 686 

retrofitting mysqli functions to work as mysql functions 
714-715 

reusing code 730 

reverse-engineering scripts 316 

Risky Jobs application 502-560, 562-604 
build_query() function 537—539 
page navigation links 554 
pagination 548-554 
pagination variables 552 
revising pagination results 553 
sorting 545—546 
tracking pagination data 551 
complete search script 557-558 
Download It! 587 


Test Drive 

build_query() function 539 
checking for valid phone numbers 587 
cleaning up phone numbers in the Registration 
script 594 

email validation 603 

explode() and implode() functions 526 


generate_sort_links() function 546 
limiting text displayed for job descriptions and 
dates posted 531 
search form 515 
search script 559 

rows 109, 112 

uniquely identifiable 208—211 
RSS 711 


RSS feed 660 

dynamically generated 672 
images 670 
linking to 676 

RSS icon 676 


RSS newsreader 660, 662 
from database to 666 
RSS Revealed 671 


RSS syndication 660—676 

dynamically generated RSS feed 672 
from database to RSS newsreader 666 
linking to RSS feed 676 
XML 661,669 



safe_mode 724 

schemas 431-435, 499 
arrows (symbols) 436 
direction 438 

scripts 

communicating with each other 276 
include files 254-255 
require_once statement 255-257 
reverse-engineering 316 
shared script data 254-255 

securing applications 295-344 
SERVER variable 300 
Authorize script 314—317 
GAPTGHA 611-624 

GD (Graphics Draw) 614—615 
generating random image 623 
pass-phrase text 613 
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community web sites 372 
content type header 309 
cookies (see cookies) 
cross-site scripting 725-726 
default column values 337—338 
form validation 339 
GD (Graphics Draw) 612—620 
GD graphics functions 616—620 
header() function 305 
HTTP authentication 299—303 

authenticating with headers 306—307 
basic realm 311 
headers 302—309 
human moderation 320—321 
Step 1 322 
Step 2 324 
Step 3 326 
Step 4 327 

INSERT (with parameters) 337 

location header 309 

PHP 723—724 

refresh header 309 

reverse-engineering scripts 316 

spaces inside of <?php ?> tags 305 

spam bots 606 

SQL injection 335—340 

tricking MySQL with comments 334 

using cookies rather than HTTP authentication 379 

ways to protect applications 297-298 

SELECT * FROM command 134 ， 135, 157 

SELECT statement 
asterisk (*) 70， 130 
FROM 70 

selecting all content 70—71 
WHERE clause 96—97 

self-referencing forms 199—201, 204—205 

semicolon (;) 125 
MySQL 64, 67 

PHP 25 

SQL statements 111 


sendemail.php script 133-145 
S—POST array 134 
^result variable 135 
feedback 183—186 
logic behind 171 
mail() function 134 
mysqli_fetch_array() function 135-142 
while loop 139—142 
mysqli_query() function 135 
self-referencing script 201, 205 
validation 163—165 

Send Email Script Up Close 203 
server-side 57 
servers 55-56 

checking if PHP is installed 19 
identifying 733 

installing Apache on Windows 7 35-736 

PHP 11 

PHP scripts 12-13 
running on 18 

transferring PHP scripts to 19 
translating PHP scripts 22-23 

session_destroy() function 390, 392, 414 

session—start() function 390, 392, 395-397, 414 

sessions 388-403 
lifespan 406—410 
logging out 393—394 
migrating from cookies 398—399 
plus cookies 409 
size of data 410 
versus cookies 400-401 
without cookies 403 

session variables 389, 391 ， 397, 406 

setcookie() function 376, 414 
logging out users 385—386 
SHA() function 354-356, 414 
comparing passwords 355 
shared script data 254-255 
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SID superglobal 403 
signing up new users 365—371 
simplexml_load_file() function 688, 698, 711 
SimpleXMLElement object 700, 711 
simplify code 187-190 

single quotes 47, 77 

versus double quotes 92 

sorting query results 532-534, 540-541, 545-546 
spaces and variable names 26 
spaces inside of <?php ?> tags 305 

spam bots 606 

GAPTGHA 611—624 
special characters and variable names 26 
SQL 57,61 

SQL injection 335-340, 343 
SQL query 86 

SQL statements and semicolons (;) 111 
sticky forms 199-201, 204-205 
storing user data on server (see sessions) 
str_replace() function 520, 560 

string functions 510-535 

explode() function 510, 518 
implode() function 513 
str_replace() function 520 
substr() function 528—530 

strings, manipulating 

concatenating strings and variables 40—42 

LIKE clause 505-509 

preprocessing data 518-519 

queries with legitimate search terms 524-525 

replacing unwanted characters 520 

sorting query results 532-534, 540-541 

string functions (see string functions) 

substrings 528-530 

WHERE clause 523 

wildcard characters 505 

(see also regular expressions) 


strip_tags() function 726 
submit button 6 
substr() function 528-530, 560 
SUBSTRING() function 530 
substrings 528-530 
superglobal 33, 55-56 
suppressing error messages 269 
SWITCH statement 542-544 
syndication 

RSS (see RSS syndication) 

YouTube video (see YouTube video syndication) 

T 

tables 61, 75 
alias 477 
child 438 

CREATE TABLE command 64 
creating inside database 112—113 
defined 109 

diagrams of (see schema) 
joins (see joins) 
junction 440 

multiple tables and queries 472 
parent 438 

primary keys (see primary keys) 
structure 123 

uniquely identifiable rows 208—211 
versus databases 68 

templates 422-425 

temporary folders 244 

temporary persistence 375 

ternary operator 455, 459, 499 

test conditions 166-170 

testing a condition 139 

testing multiple conditions 179-182 

TEXT data type 114 

TIME data type 114—116 
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TIMESTAMP data type 114-116 
TINYINT type 322 
transferring PHP scripts to server 19 
trim() function 336, 340, 342 
type attribute 6 

TJ 

underscore (_) 26 
underscore (_) wildcard 505 
uniquely identifiable 208—211 
unlink() function 269 
UPDATE command 235 
uppercase 27 

USE command 64, 120—121 
user_id 351 

user log-ins 348-363 

constructing interface 353 
gameplan 349 

HTTP authentication 357—361 
password encryption 360 
passwords 348 
encryption 352 
SHA() function 354—356 
visual security 353 
prepping database for 351 
username 348 

using cookies rather than HTTP authentication 379 
user log-outs 384-387 
sessions 393—394 
username 348 

user permissions in MySQL 716-717 
user persistence 383 
USING keyword 476 


V 

validation 16 4 — 165 

error messages 268-270 
suppressing 269, 288 
flags and duplicate code 194 
forms 339 

if statements 166-170 
cleaner code 188—190 
else clause 184-190 

making HTML form dependent on 195 
nested 178, 187 
test conditions 168 
image file uploads 266—270 
logical operators 179-182 
order 181 
logic behind 165 

PHP functions for verifying variables 172—178 
regular expressions (see regular expressions) 
sendemail.php 171 
server-side versus client side 165 
testing multiple conditions 179-182 
trade-offs 597 

VALUES keyword 66 
order of values 66—67 

VARGHAR data type 114-116 

variable names 25 
finding perfect 26 

variables 24, 26, 27, 31 ， 55—56, 255 
counting variable 264 
concatenating strings and variables 41-42 
session 389, 391, 397, 406 
storing email pieces and parts 49 
superglobal 33 

video length calculation 703 

visualizing data 630—652 
bar graphs 
basics 644 

building an array for categories 636—638 
drawing and displaying 647 
file storage issues 651 
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visualizing data, bar graphs {continued) 

formulating plan 639—641 
generating individual 650 
storing data 632—633 
dynamically generated images 651 
image compression levels 651 

visual security 353 

w 

Watch it! 

checkdnsrr() function 599 

FTP program 248 

headers 309 

mail() function 52 

order of values 67 

sessions without cookies 403 

SQL statements and semicolons (;) 111 

web applications 
defined 105 

personalized (see personalized web apps) 
web content 

pulling from another site 680 

(see also YouTube video syndication) 
pushing 659 

RSS (see RSS syndication) 
web forms (see forms) 

web requests 276 

web servers (see servers) 

WHERE clause 96—97, 157, 293 
DELETE command 148—149 
empty search elements 523 
inner joins 475 


while loop 139-142, 157 
wildcards 505 
WordPress 730 

X 

XML 711 

accessing with objects 696 
collection of objects 697 
drilling into XML data with objects 698 
dynamically generated RSS feed 672 
entities 693 

hierarchy of elements 695 
namespaces 693, 699 
RSS syndication 661， 669 
YouTube video syndication 690 
deconstructing response 694 
XSS attack 725 

Y 

YouTube video syndication 678—712 
laying out videos for display 702—703 
request/response communication process 681 
REST request 682—687 
building 686 

simplexml_load_file() function 688, 698 
video length calculation 703 
XML 690 

deconstructing response 694 
entities 693 

hierarchy of elements 695 
namespaces 693 
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